On Thu, 2004-09-16 at 13:20, darmian martinez wrote: > Hello, > > I am trying to change the source ip address of icmp reply packets of the > firewall, just because i am trying to hide the firewall ip address in the case someone makes a traceroute to my protected network. I dont want > to block the icmp packet, just to change the source ip address. > i try it with: > > iptables -t nat -I POSTROUTING -s [FIREWALL_IP] -d [TRACEROUTE_ORIGINATOR] -m state --state RELATED,NEW,ESTABLISHED -j SNAT --to [FAKE_IP_ADDRESS] > > it's does not work. anyone know how to make it? <snip> We handle this a little differently in the ISCS project (http://iscs.sourceforge.net). Instead, we have a drop rule in the mangle table to drop any packet with a TTL of 1 rather than sending back a TTL expired ICMP packet. At least I think that's what I remember doing :-) We had originally planned to simply increment the TTL by 1 so that a packet would never expire on the gateway but then decided that was a bad way to go about it. -- John A. Sullivan III Open Source Development Corporation Financially sustainable open source development http://www.opensourcedevel.com
