Gary Renshaw wrote:
I am trying to get a host to reject pings with an ICMP host-unreachable message so that it looks like the host doesn't exist. This is easy and works nicely.
This will not do what you want for several reasons. On a local network, the "host unreachable" condition is identified by the system _sending_ the pings when there is no ARP reply from the target host; this means that any local host can know the "stealth" host is up from the ARP reply. This method also won't work beyond most gateways unless you have the cooperation of the gateway; most gateways are configured with firewalls that prevent spoofing across subnets, and thus it will drop any packets with invalid source addresses on them. In your diagram anything upstream from the gateway would receive replies from the WAN (or upstream) IP address, not the LAN, and the gateway won't (or at least shouldn't) accept LAN packets sourced with an IP on a different network.
If your goal is to hide the "stealth" host from clients on the local network, it's pointless; ARP's give you away as a live host anyway, and there's no way to "fix" that without breaking TCP/IP functionality all-together.
The problem is that I'd like to use SNAT to spoof the source address
so that the ICMP looks like it is coming from the network's gateway,
not the stealthy host. This isn't working the way I expected.
I've set up a very simple test rig for this.
192.168.1.1 (GATEWAY) <-----> 192.168.1.2 (STEALTH)
|
\--> 192.168.1.3 (WORKSTATION)
-- Josh
Attachment:
signature.asc
Description: OpenPGP digital signature
