From: Ramin Dousti <ramin@cannon.eng.us.uu.net>
To: Chris Brenton <cbrenton@chrisbrenton.org>
Cc: "I.S.Kuten" <i.kuten@sam-solutions.net>, netfilter@lists.netfilter.org
Subject: Re: fake ping reply
Date: Thu, 4 Sep 2003 16:04:16 -0400 [thread overview]
Message-ID: <20030904200416.GD31513@cannon.eng.us.uu.net> (raw)
In-Reply-To: <3F57935E.9060305@chrisbrenton.org>
On Thu, Sep 04, 2003 at 03:32:46PM -0400, Chris Brenton wrote:
> >>i wanted to setup iptables , when someone pings my box , echo-reply
> >>would come from other machine then mine .
> >
> >A very strange question. When the client sends you a echo-request, it
> >expects to receive echo-reply from the same IP address. If some other
> >IP address sends the echo-reply, it will simply get dropped by the OS
> >on the client, as there is no match for this bogus packet...
>
> I don't think that's where he's going with this. This used to be a very
> cool feature that was remove about 2 years ago. :( :( :(
>
> Here's the concept, let's say you've been allocated a class C legal
> address space and have 10 or so IP address that are not in use. What I
> used to do was reject echo-request packets going to those address with
> echo-replies, and reject all other echo-requests with an host-unreachable.
I see, you want to pretend that the non-assigned IP's are assigned and the
assigned ones are not (??). If so, do this:
1.2.3.4 5.6.7.8
----------
Internet -----eth0--GW--eth1----Internal LAN
----------
Say, you have a.b.c.0/24 assigned to you and you use a.b.c.0/25 (assigned
to your boxes) and have a.b.c.128/25 unused. Then for the same effect you
mentioned above you can have:
$IPT -t nat -A PREROUTING -i eth0 -p icmp --icmp-type echo-request \
-d a.b.c.128/25 -j DNAT --to 5.6.7.8
$IPT -t filter -A FORWARD -i eth0 -p icmp --icmp-type echo-request \
-d a.b.c.0/25 -j REJECT --reject-with host-unreach
Or maybe I didn't get your explanation right???
Ramin
prev parent reply other threads:[~2003-09-04 20:04 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-02 13:50 fake ping reply I.S.Kuten
2003-09-04 16:24 ` Ramin Dousti
2003-09-04 17:10 ` I.S.Kuten
2003-09-04 19:32 ` Chris Brenton
2003-09-04 20:04 ` Ramin Dousti [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030904200416.GD31513@cannon.eng.us.uu.net \
--to=ramin@cannon.eng.us.uu.net \
--cc=cbrenton@chrisbrenton.org \
--cc=i.kuten@sam-solutions.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.