Users login

Create an account »


Users login

Home » Hacking News » MDKSA-2002:030-iptables/kernel


by Nikola Strahija on May 11th, 2002 A problem was discovered with Netfilter Network Address Translation (NAT) capabilities. It was found that iptables can leak information about how port forwarding is accomplished in unfiltered ICMP packets. When a NAT rule applies to the first packet of a connection, which subsequently causes the system to generate an ICMP error message, the ICMP error message is transmitted including the translated address. This information gives the IP address of the system to which the connection would have been forwarded had the error message not been generated, exposing information about the netfilter configuration and the network topology.

There is currently no clean fix for this problem, but a fix is being
worked on. In the meantime, if you use the NAT capabilities of
iptables, you can protect yourself by filtering out untracked local
ICMP packets using the following iptables command:

iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP

All kernel patches from iptables

All packages are signed by MandrakeSoft for security. You can obtain
the GPG public key of the Mandrake Linux Security Team from:

Please be aware that sometimes it takes the mirrors a few hours to

You can view other update advisories for Mandrake Linux at:

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by

If you want to report vulnerabilities, please contact

[email protected]

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »