Unmatchable packet?

Philip Craig philipc at snapgear.com
Wed Nov 23 07:05:19 CET 2005

On 11/23/2005 11:46 AM, Jesse Gordon wrote:
> I actually want to rewrite the source IP of TCP packets that exit a given 
> ethernet card -- even (especially) if they are generated as responses to 
> incoming connections to the box.
>  Lets say I have 2 machines: S, and C;
> S is the server, and I am on C[lient]. Both machines are sitting on a simple 
> isolated flat LAN.
> Normally, when C connects to S, S replies with it's own source address. This 
> is normal operation, and is what I want to alter.
> I wish for the replies from S to be to reach C with an arbitrarly assigned 
> source address.
> (And I want the source address rewrite to be performed inside S)

You can't do this with iptables.  NAT rules only match the first packet
of a connection, and the NAT mapping that is determined for that first
packet is applied to all subsequent packets in that connection.

Futhermore, it doesn't make sense to do this.  The client will receive
packets from your arbitarily assigned source address, but will not know
what to do with them since it never sent any packets to that address,
and so it will just drop them.

More information about the netfilter mailing list