Change Source

Change Source

[Nathaniel Hall]

Is there any way to change the source address of an outbound ICMP packet?

Here is why I am asking.  Instead of dropping packets I reject them with ICMP host unreachable
packets.  If I were to try to initiate a connection to my firewalls outside IP I would get a host
unreachable from the same IP address as the firewall.  I would like to be able to change this
address to be the gateway at my ISP.  That will lesson the chances of recon and mess with a few
heads.  Is there any way?
-- 
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA

Re: Change Source

[Wakko Warner]

Nathaniel Hall wrote:
> Is there any way to change the source address of an outbound ICMP packet?
> 
> Here is why I am asking.  Instead of dropping packets I reject them with ICMP host unreachable
> packets.  If I were to try to initiate a connection to my firewalls outside IP I would get a host
> unreachable from the same IP address as the firewall.  I would like to be able to change this
> address to be the gateway at my ISP.  That will lesson the chances of recon and mess with a few
> heads.  Is there any way?

I did this once, but for some reason it won't work with my current machine
(Using an older kernel if that matters).

Background: I have a range of IPs.  I route the ones I am using to the
proper interface and anything else gets icmp-network-unreachable.  To do
this I just did:
iptables -I FORWARD -i internetif -o internetif -j REJECT ...

In the nat/POSTROUTING change I look for icmp-network-unreachable and -j
SNAT it to the address I want.  Unfortunately, it does this for all
icmp-network-unreachable.  I know of no way, other than u32 patch, to
determin what the original connection was.

Be aware that your provider may not allow you to spoof the ip address and
just drop the packets that you altered.

-- 
 Lab tests show that use of micro$oft causes cancer in lab animals
 Got Gas???