One possible solution to rejecting with the source IP of the "ICMP Host Unreachable" packet being the host that you are trying to hide would be to SNAT the packet as it goes out the system you are trying to hide on it's way back to the original sender. You would want to SNAT the packet to IP of the far side of your upstream router. In doing this you would have to make sure that your upstream router would not block suck packets with any thing like a reverse path filter.
Grant. . . .
