0

I'm trying to modify ICMP time-exceeded responses (type 11) for traceroute packets, but only when they're responses to traceroute probes from a specific VM. My setup is:

  • Host OS running Ubuntu with nftables
  • Guest VM running Ubuntu, connected via bridge interface "spod"
  • Bridge interface IPs: Host 137.205.192.1, VM 137.205.192.5
  • Host's internet interface: wlo1 (192.168.110.187), gateway 192.168.110.1
  • VM traffic is masqueraded via the host

Current working rules (but these modify ALL type 11 packets, not just those for VM):

nft add table ip icmp_mod
nft add chain ip icmp_mod prerouting { type filter hook prerouting priority -300; }
nft add rule ip icmp_mod prerouting ip protocol icmp icmp type time-exceeded ip saddr $HOP1 counter snat ip to 146.97.180.159
nft add rule ip icmp_mod prerouting ip protocol icmp icmp type time-exceeded ip saddr $HOP2 counter snat ip to 146.97.35.246
nft add rule ip icmp_mod prerouting ip protocol icmp icmp type time-exceeded ip saddr $HOP3 counter snat ip to 146.97.35.18
nft add rule ip icmp_mod prerouting ip protocol icmp icmp type time-exceeded ip saddr $HOP4 counter snat ip to 146.97.35.197

When running traceroute from both host and VM to 1.1.1.1, the ICMP type 11 responses look identical in the prerouting chain.

I need to modify these rules to only match and modify ICMP type 11 packets that are responses to the VM's traceroute probes, not the host's probes. What's the correct nftables syntax to examine and match based on the final destination of the packets?

Improve this question

2 Answers 2

Reset to default
1

Another option would be to put a series of virtual nodes (running on the host) between the host and VM.

To create each node, I've used:

ip netns add <name>
ip netns exec <name> ip addr replace 127.0.0.1/8 dev lo
ip netns exec <name> ip -6 addr replace ::1/128 dev lo
ip netns exec <name> ip link set dev lo up
ip netns exec <name> sysctl net.ipv4.ip_forward=1 net.ipv4.conf.all.forwarding=1 ...

To link two nodes, I've used:

ip link add name <link1> netns <name1> type veth peer name <link2> netns <name2>
ip netns exec <name1> ip addr replace <addr1>/24 broadcast <broadcast1> dev <link1>
ip netns exec <name2> ip addr replace <addr2>/24 broadcast <broadcast2> dev <link2>
ip netns exec <name1> ip -6 addr replace <ipv6addr1>/24 broadcast <broadcast1> dev <link1>
ip netns exec <name2> ip -6 addr replace <ipv6addr2>/24 broadcast <broadcast2> dev <link2>
ip netns exec <name1> ip link set dev <link1> address <macaddress1> up
ip netns exec <name2> ip link set dev <link2> address <macaddress2> up

Once you've done a number of these, you can use a variant of the ip link add with no netns specified on one end to connect one to your host. You should also be able to connect the VM to another virtual node.

Now you need to create routing tables on each virtual node (which gets complicated, and I'm not going to try to explain).

If you've done this right, you should be able to ping and traceroute any of the virtual hosts, and the VM, and each virtual host constitutes a separate hop. Then it is simply a matter of sending a packet with a sufficiently low hop limit. And since you could easily put 200 hops in, "sufficiently low" can be the default configuration.

Improve this answer
0

Ok, so the answer to this one was remarkably simple. Simply move the nft rules and chain to postrouting instead of prerouting. The packets being forwarded to the VM go through postrouting only for the VM and not for the host OS.

So, the resulting nft commands are:-

nft add table ip icmp_pos
nft add chain ip icmp_pos postrouting { type filter hook postrouting priority -300 \; }
nft add rule ip icmp_pos postrouting ip protocol icmp icmp type time-exceeded ip saddr $HOP1 ip saddr set 146.97.180.159
nft add rule ip icmp_pos postrouting ip protocol icmp icmp type time-exceeded ip saddr $HOP2 ip saddr set 146.97.35.246
nft add rule ip icmp_pos postrouting ip protocol icmp icmp type time-exceeded ip saddr $HOP3 ip saddr set 146.97.35.18
nft add rule ip icmp_pos postrouting ip protocol icmp icmp type time-exceeded ip saddr $HOP4 ip saddr set 146.97.35.197
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.