Linux router – how to send icmp unreachable messages to LAN clients

I have a Linux home router with eth0 (192.168.0.2/24) and bridge br0 for LAN clients (192.168.1.1/24). Bridge br0 contains eth1 (wired) and eth2 (wireless).

The router routes all LAN traffic via eth0 (192.168.0.2) to an ADSL router (192.168.0.1) via SNAT and from there to the Internet. (At the moment I wonder if I can do this without SNAT but that's not the issue for now.)

I would like to know how the LAN clients can get icmp messages for unreachable hosts. If a LAN client pings an unused IP in its own subnet (eg 192.168.1.123), I see destination host unreachable messages. How can I get those messages for other unreachable addresses that are not within the subnet of the LAN client? Should I add all of the unroutable, unknown nets as iptables rules or perhaps add them with iproute2 as unreachable addresses, on the linux router?

For example, 10.0.0.1 is an address I don't use. If I do a traceroute from a lan client to 10.0.0.1, I see those packets travel as such:

# traceroute 10.0.0.1
traceroute to 10.0.0.1 (10.0.0.1), 30 hops max, 52 byte packets
 1  linuxrouter (192.168.1.1)  0.247 ms  0.143 ms  0.126 ms
 2  adslrouter (192.168.0.1)  0.526 ms  0.526 ms  0.322 ms
 3  isp.hop1 (194.109.w.x)  33.250 ms  33.376 ms  33.337 ms
 4  isp.hop2 (194.109.y.z)  61.811 ms !N  32.700 ms !N  32.639 ms !N

(I don't know why the very first hop of my isp forwards these)

Instead of this, I'd rather have the linux router reject any rfc1918 address. What are the best practices?

Best Answer

ICMP Unreachable packets are a special breed; they'll only be thrown back at your systems when a router cannot route for that destination, if the router's behaving correctly; you'll also need to make sure they aren't getting discarded by an overzealous firewall.

In the case of 10.0.0.1, the ISP is probably not filtering the RFC 1918 ranges out until hop 3 - but if the discard is due to an ACL filter, it'll just throw the packets away without sending an Unreachable response.

To get your linux router to drop the packets and throw unreachables, add a reject route:

route add -net 10.0.0.0 netmask 255.0.0.0 reject

You'll want to make this persistent - where you need to do this depends on your router's flavor of linux.

Best Answer

Related Solutions

How to set up routing for a VPN gateway separate from the main gateway

Linux Bridge, Samba netbios name/hostname access

Related Topic