Netfilter information leak

Netfilter ("iptables") can leak information about how port forwarding
is done in unfiltered ICMP packets. The older "ipchains" code is not
affected.

This bug only affects users using the Network Address Translation
features of firewalls built with netfilter ("iptables"). Red Hat
Linux's firewall configuration tools use "ipchains," and those
configurations are not vulnerable to this bug.

Systems using the netfilter ("iptables") Network Address Translation
(NAT) capabilities are subject to the following bug: When a NAT rule
applies to the first packet of a connection and that packet later
causes the system to generate an ICMP error message, the ICMP
error message is sent out with translated addresses included. This
address information incorrectly gives the IP address to which the
connection would have been forwarded if the ICMP error message was
not generated, which exposes information about the netfilter
configuration (which ports are being translated) and about the
network topology (which address the ports are being forwarded to).
Also, the incorrect ICMP packets may be dropped by other intervening
stateful firewalls as malformed packets.

ICMP error packets generated by the host being routed to are not
affected by this bug.

The firewall configuration generated by Red Hat Linux's firewall
configuration tools uses ipchains, not iptables; thus, default
configurations of Red Hat Linux are not affected by this bug.

Unfortunately, this problem currently has no clean fix, but while
a clean fix is being worked on, there is a sufficient workaround:

Filter out untracked local icmp packets using the following command:
iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0704
CARTSA-20020402 (http://www.cartel-securite.fr/)
Thanks to Philippe Biondi <biondi@cartel-securite.fr>

icmp, iptables, nat, netfilter