ICMP forwarding not working when single port is forwarded
Migrated from: https://tracker.clearos.com/view.php?id=1708
Reported by: Peter Baldwin
ICMP should be forwarded to the target system when a 1-to-1 NAT rule is created. These rules are created by the firewall, but there might be a missing PREROUTING rule, e.g.:
iptables -t nat -I PREROUTING -p icmp -d 1.2.3.4 -j DNAT --to 192.168.1.100
Reference: http://opsmonkey.blogspot.ca/2007/02/path-mtu-discovery-and-mtu.html
Developer comments:
- The iptables rule should be more selective on ICMP messages (0,3,8 and 11 are wanted).
- This only works if you NAT one external IP to one internal IP. Apparently it is against RFC's to NAT an external IP to different internal IPs if you NAT by port.
- This probably should be an app-firewall issue.
Edited by Nick