SNAT question

John A. Sullivan III jsullivan at
Fri Sep 17 22:48:28 CEST 2004

On Thu, 2004-09-16 at 13:20, darmian martinez wrote:
> Hello,
> I am trying to change the source ip address of icmp reply packets of the
> firewall, just because i am trying to hide the firewall ip address in the case someone makes a traceroute to my protected network. I dont want
> to block the icmp packet, just to change the source ip address.
> i try it with:
> it's does not work. anyone know how to make it?
We handle this a little differently in the ISCS project
(  Instead, we have a drop rule in the
mangle table to drop any packet with a TTL of 1 rather than sending back
a TTL expired ICMP packet.  At least I think that's what I remember
doing :-)

We had originally planned to simply increment the TTL by 1 so that a
packet would never expire on the gateway but then decided that was a bad
way to go about it.
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development

More information about the netfilter mailing list