Change outbound ICMP source

Change outbound ICMP source

[Nathaniel Hall]

I have been trying to figure out how to change the source IP address of 
an ICMP packet that originates from the firewall.  Here is my application.

Instead of dropping a packet I reject it with ICMP host unreachable 
messages.  I would like to make it appear that the firewall isn't there, 
so I would like to change the source IP address to be that of our 
upstream router.  How would I go about doing this?

-- 
Nathaniel Hall, GSEC GCFW GCIA

Re: Change outbound ICMP source

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 10 Apr 2006, Nathaniel Hall wrote:

> I have been trying to figure out how to change the source IP address of an 
> ICMP packet that originates from the firewall.  Here is my application.
>
> Instead of dropping a packet I reject it with ICMP host unreachable messages. 
> I would like to make it appear that the firewall isn't there, so I would like 
> to change the source IP address to be that of our upstream router.  How would 
> I go about doing this?
>
>

by blocking the ICMP's at that upstream router.


Thanks,


Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEOrqOst+vzJSwZikRAuLvAJ4xoqhQ7URdwmnuie+bsB7XLqz5WwCfYzBQ
7xiEJTytpedk3pYCnKSGnkQ=
=rfrz
-----END PGP SIGNATURE-----

Re: Change outbound ICMP source

[Nathaniel Hall]

R. DuFresne wrote:

> On Mon, 10 Apr 2006, Nathaniel Hall wrote:
>
>> I have been trying to figure out how to change the source IP address
of an
>> ICMP packet that originates from the firewall.  Here is my application.
>>
>> Instead of dropping a packet I reject it with ICMP host unreachable
messages.
>> I would like to make it appear that the firewall isn't there, so I
would like to
>> change the source IP address to be that of our upstream router.  How
would
>> I go about doing this?
>
> by blocking the ICMP's at that upstream router.

That doesn't achieve what I want.  If a TCP connection is rejected at
the firewall, then blocking ICMP at the upstream router will block the
host-unreachable from going out, not make it seem as if the router is
the source.

-- 
Nathaniel Hall, GSEC GCFW GCIA

Re: Change outbound ICMP source

[sven]

> That doesn't achieve what I want.  If a TCP connection is rejected at
> the firewall, then blocking ICMP at the upstream router will block the
> host-unreachable from going out, not make it seem as if the router is
> the source.

You want to do SNAT?

Re: Change outbound ICMP source

[Nathaniel Hall]

sven@hin.de wrote:

>>That doesn't achieve what I want.  If a TCP connection is rejected at
>>the firewall, then blocking ICMP at the upstream router will block the
>>host-unreachable from going out, not make it seem as if the router is
>>the source.
>>    
>>
>
>You want to do SNAT?
>
Yes, but it isn't SNAT because it isn't being routed.  It would be on
the OUTPUT chain since it is originating from the firewall.

-- 
Nathaniel Hall, GSEC GCFW GCIA