SNAT question

John A. Sullivan III jsullivan at opensourcedevelopmentcorp.com
Fri Sep 17 22:48:28 CEST 2004


On Thu, 2004-09-16 at 13:20, darmian martinez wrote:
> Hello,
>  
> I am trying to change the source ip address of icmp reply packets of the
> firewall, just because i am trying to hide the firewall ip address in the case someone makes a traceroute to my protected network. I dont want
> to block the icmp packet, just to change the source ip address.
> i try it with:
>  
> iptables -t nat -I POSTROUTING -s [FIREWALL_IP] -d [TRACEROUTE_ORIGINATOR] -m state --state RELATED,NEW,ESTABLISHED -j SNAT --to [FAKE_IP_ADDRESS]
>  
> it's does not work. anyone know how to make it?
<snip>
We handle this a little differently in the ISCS project
(http://iscs.sourceforge.net).  Instead, we have a drop rule in the
mangle table to drop any packet with a TTL of 1 rather than sending back
a TTL expired ICMP packet.  At least I think that's what I remember
doing :-)

We had originally planned to simply increment the TTL by 1 so that a
packet would never expire on the gateway but then decided that was a bad
way to go about it.
-- 
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevel.com




More information about the netfilter mailing list