On Wed, May 01, 2002 at 06:53:01PM +0200, Kaddouch Guillaume wrote:
> ----- Original Message -----
> From: "Ramin Alidousti" <[EMAIL PROTECTED]>
> To: "Kaddouch Guillaume" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Wednesday, May 01, 2002 2:34 AM
> Subject: Re: "-j REJECT --reject-with icmp-time-exceeded"
>
>
> > On Tue, Apr 30, 2002 at 11:00:15AM -0400, Ramin Alidousti wrote:
> >
> > > > I had forgot to say that it is for using with the "fake-source"
> > > > patch-o-matic that is already install to have a rule like this:
> > > >
> > > > ... -j REJECT --reject-with icmp-time-exceeded --fake-source IPADDR
> > > >
> > > > The rule with "-t mangle ..." doesn't allow me to specify an IP address.
> > >
> > > OK. Try to set the TTL in PREROUTING:
> > >
> > > -t mangle -A PREROUTING <some restriction to the rule> j TTL --ttl-set 0
> > >
> > > and then when your box generates the time-exceeded in response to this
> > > rule, set the src in POSTROUTING:
> > >
> > > -t nat A POSTROUTING -m ttl --ttl-eq 0 -j SNAT --to IPADDR
> >
> > I couldn't have been more wrong here. The rule to detect the response to
> > an expired packet should check the ICMP type:
> >
> > -t nat A POSTROUTING -p icmp
> > --icmp-type ttl-zero-during-<transit/reassembly>
> > <some restriction to the rule>
> > -j SNAT --to IPADDR
>
> It is very intreresting to do it with this type of rule, but there are one thing
>that it's impossible with, it's to have a relation between the packet that arrive
>(like echo-request) and the packet that is sent (time-exceeded). For instance, if I
>want that packets from PC1 were returned with FAKE-SRC-IP1 and packets from PC2 were
>returned with a different fake source, I can't do it because the 2 packets that I
>send are the same, independant of the first match (that may be ip-src, or ttl, or
>other...).
Can you not say:
-t nat A POSTROUTING -p icmp
--icmp-type ttl-zero-during-<transit/reassembly>
-d PC1
-j SNAT --to FAKE-SRC-IP1
-t nat A POSTROUTING -p icmp
--icmp-type ttl-zero-during-<transit/reassembly>
-d PC2
-j SNAT --to FAKE-SRC-IP2
>
> I had try to mark input packet regarding the source ip, to do a different action
>regarding the mark of the output packet, but the mangle table is only for outbound
>traffic.
It won't work. What you mean is to mark packets as they come in and
to check the mark as the responses go out. The response packets do
_not_ carry the marks.
>
> This rule is however better that nothing! Before, I was unable to send an only
>time-exceeded. But for personal use, I need more functionnality.
I know that this is a quick fix to a wider problem which does not
cover everything but as you said it's better than nothing.
Ramin
>
> I really had a "brainstorming" before posting, but I can't find any solution.
>
> Guillaume.
