Results 1 to 2 of 2

Thread: iptables nat bug

  1. #1

    iptables nat bug

    I don't know if everyone has seen this yet, or if it is old news, but I figured I would post it anyway:

    Subject: [RHSA-2002:086-05] Netfilter information leak
    Date: Thu, May 9, 2002 8:46 am

    Red Hat, Inc. Red Hat Security Advisory

    Synopsis: Netfilter information leak
    Advisory ID: RHSA-2002:086-05
    Issue date: 2002-05-08
    Updated on: 2002-05-09
    Product: Red Hat Linux
    Keywords: netfilter iptables icmp nat
    Cross references:

    1. Topic:

    Netfilter ("iptables&quot can leak information about how port forwarding
    is done in unfiltered ICMP packets. The older "ipchains" code is not

    This bug only affects users using the Network Address Translation
    features of firewalls built with netfilter ("iptables&quot. Red Hat
    Linux's firewall configuration tools use "ipchains," and those
    configurations are not vulnerable to this bug.

    2. Relevant releases/architectures:

    3. Problem description:

    Systems using the netfilter ("iptables&quot Network Address Translation
    (NAT) capabilities are subject to the following bug: When a NAT rule
    applies to the first packet of a connection and that packet later
    causes the system to generate an ICMP error message, the ICMP
    error message is sent out with translated addresses included. This
    address information incorrectly gives the IP address to which the
    connection would have been forwarded if the ICMP error message was
    not generated, which exposes information about the netfilter
    configuration (which ports are being translated) and about the
    network topology (which address the ports are being forwarded to).
    Also, the incorrect ICMP packets may be dropped by other intervening
    stateful firewalls as malformed packets.

    ICMP error packets generated by the host being routed to are not
    affected by this bug.

    The firewall configuration generated by Red Hat Linux's firewall
    configuration tools uses ipchains, not iptables; thus, default
    configurations of Red Hat Linux are not affected by this bug.

    4. Solution:

    Unfortunately, this problem currently has no clean fix, but while
    a clean fix is being worked on, there is a sufficient workaround:

    Filter out untracked local icmp packets using the following command:
    iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP

    5. Bug IDs fixed ( for more info):

  2. #2

    Re: iptables nat bug

    Yes, AFAIK there is no patch yet. It's at

Similar Threads

  1. iptables
    By digitalspy99 in forum Linux - General Topics
    Replies: 1
    Last Post: 08-05-2008, 03:42 AM
  2. Need help with iptables
    By Pioneo in forum Linux - Software, Applications & Programming
    Replies: 17
    Last Post: 04-28-2008, 01:33 AM
  3. GUI for iptables???
    By SwampDonkey in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 12-13-2002, 12:50 PM
  4. Where do iptables go?
    By flashingcurser in forum Linux - Software, Applications & Programming
    Replies: 3
    Last Post: 08-14-2002, 08:37 PM
  5. iptables
    By elovkoff in forum Security
    Replies: 9
    Last Post: 03-19-2002, 02:23 PM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts