why network bridge do not forwarding icmp_redirect package

Discussion in 'Linux Networking' started by whoami, Feb 29, 2012.

  1. whoami

    whoami Guest

    Dears,

    I setup a linux box act as a firewall, just use bridge mode. For
    hot-standby reasons, I need the box could forward all icmp_redirect package
    for special ip address. but which make me puzzled so much is it not work at
    all.

    as a easy testing, I set up a testing envirenment like:

    PC1(192.168.190.2) -------------------------- (eth0) LINUX BOX
    (eth1)-------------------- 192.168.190.23(PC2)
    just send icmp_redirect package with a tool named sing
    (http://sourceforge.net/projects/sing/)

    the command like:
    sing -red -gw 192.168.190.250 -dest 192.168.120.23 -S 192.168.190.26 -x
    host -prot tcp -psrc 123 -pdst 123 192.168.190.23

    and testing with proc files values:
    /proc/sys/net/ipv4/conf/all/accept_redirects 1
    /proc/sys/net/ipv4/conf/all/send_redirects 1
    /proc/sys/net/ipv4/conf/all/secure_redirects 0/1
    /proc/sys/net/ipv4/ip_forward 1
    /proc/sys/net/ipv4/icmp_echo_ignore_all 0
    /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 0

    but why I could not receive any icmp_redirect package on PC2!??
    (PC1 could ping PC2, that means linux box's network bridge is work fine)

    to make sure with the rules, I clear all firewall rules, and add a

    iptalbes -t mangle -A PREROUTING -p icmp --icmp-type 5 -j ACCEPT

    It shows their will be some redirect package received by box on eth0
    but rules as following:

    iptables -t mangle -A FORWARD -p icmp --icmp-type 5 -j ACCEPT
    iptables -t nat -A PREROUTING -p icmp --icmp-type 5 -j ACCEPT

    gives no package at all!
    it seems like the package is lost just after the mangle PREROUTING chain.

    Anyone PLS help me to make the package bypass the box!
    thanks!!
     
    whoami, Feb 29, 2012
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.