* Change outbound ICMP source
@ 2006-04-10 18:02 Nathaniel Hall
2006-04-10 20:05 ` R. DuFresne
0 siblings, 1 reply; 5+ messages in thread
From: Nathaniel Hall @ 2006-04-10 18:02 UTC (permalink / raw)
To: netfilter
I have been trying to figure out how to change the source IP address of
an ICMP packet that originates from the firewall. Here is my application.
Instead of dropping a packet I reject it with ICMP host unreachable
messages. I would like to make it appear that the firewall isn't there,
so I would like to change the source IP address to be that of our
upstream router. How would I go about doing this?
--
Nathaniel Hall, GSEC GCFW GCIA
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Change outbound ICMP source
2006-04-10 18:02 Change outbound ICMP source Nathaniel Hall
@ 2006-04-10 20:05 ` R. DuFresne
2006-04-10 20:18 ` Nathaniel Hall
0 siblings, 1 reply; 5+ messages in thread
From: R. DuFresne @ 2006-04-10 20:05 UTC (permalink / raw)
To: Nathaniel Hall; +Cc: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 10 Apr 2006, Nathaniel Hall wrote:
> I have been trying to figure out how to change the source IP address of an
> ICMP packet that originates from the firewall. Here is my application.
>
> Instead of dropping a packet I reject it with ICMP host unreachable messages.
> I would like to make it appear that the firewall isn't there, so I would like
> to change the source IP address to be that of our upstream router. How would
> I go about doing this?
>
>
by blocking the ICMP's at that upstream router.
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEOrqOst+vzJSwZikRAuLvAJ4xoqhQ7URdwmnuie+bsB7XLqz5WwCfYzBQ
7xiEJTytpedk3pYCnKSGnkQ=
=rfrz
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: Change outbound ICMP source
2006-04-10 20:05 ` R. DuFresne
@ 2006-04-10 20:18 ` Nathaniel Hall
2006-04-10 22:12 ` sven
0 siblings, 1 reply; 5+ messages in thread
From: Nathaniel Hall @ 2006-04-10 20:18 UTC (permalink / raw)
To: R. DuFresne; +Cc: netfilter
R. DuFresne wrote:
> On Mon, 10 Apr 2006, Nathaniel Hall wrote:
>
>> I have been trying to figure out how to change the source IP address
of an
>> ICMP packet that originates from the firewall. Here is my application.
>>
>> Instead of dropping a packet I reject it with ICMP host unreachable
messages.
>> I would like to make it appear that the firewall isn't there, so I
would like to
>> change the source IP address to be that of our upstream router. How
would
>> I go about doing this?
>
> by blocking the ICMP's at that upstream router.
That doesn't achieve what I want. If a TCP connection is rejected at
the firewall, then blocking ICMP at the upstream router will block the
host-unreachable from going out, not make it seem as if the router is
the source.
--
Nathaniel Hall, GSEC GCFW GCIA
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Change outbound ICMP source
2006-04-10 20:18 ` Nathaniel Hall
@ 2006-04-10 22:12 ` sven
2006-04-10 22:20 ` Nathaniel Hall
0 siblings, 1 reply; 5+ messages in thread
From: sven @ 2006-04-10 22:12 UTC (permalink / raw)
To: nathaniel.d.hall; +Cc: netfilter
> That doesn't achieve what I want. If a TCP connection is rejected at
> the firewall, then blocking ICMP at the upstream router will block the
> host-unreachable from going out, not make it seem as if the router is
> the source.
You want to do SNAT?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Change outbound ICMP source
2006-04-10 22:12 ` sven
@ 2006-04-10 22:20 ` Nathaniel Hall
0 siblings, 0 replies; 5+ messages in thread
From: Nathaniel Hall @ 2006-04-10 22:20 UTC (permalink / raw)
To: sven; +Cc: netfilter
sven@hin.de wrote:
>>That doesn't achieve what I want. If a TCP connection is rejected at
>>the firewall, then blocking ICMP at the upstream router will block the
>>host-unreachable from going out, not make it seem as if the router is
>>the source.
>>
>>
>
>You want to do SNAT?
>
Yes, but it isn't SNAT because it isn't being routed. It would be on
the OUTPUT chain since it is originating from the firewall.
--
Nathaniel Hall, GSEC GCFW GCIA
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2006-04-10 22:20 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-04-10 18:02 Change outbound ICMP source Nathaniel Hall
2006-04-10 20:05 ` R. DuFresne
2006-04-10 20:18 ` Nathaniel Hall
2006-04-10 22:12 ` sven
2006-04-10 22:20 ` Nathaniel Hall
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.