On Tue, Apr 30, 2002 at 11:00:15AM -0400, Ramin Alidousti wrote:
> > I had forgot to say that it is for using with the "fake-source"
> > patch-o-matic that is already install to have a rule like this:
> >
> > ... -j REJECT --reject-with icmp-time-exceeded --fake-source IPADDR
> >
> > The rule with "-t mangle ..." doesn't allow me to specify an IP address.
>
> OK. Try to set the TTL in PREROUTING:
>
> -t mangle -A PREROUTING <some restriction to the rule> j TTL --ttl-set 0
>
> and then when your box generates the time-exceeded in response to this
> rule, set the src in POSTROUTING:
>
> -t nat A POSTROUTING -m ttl --ttl-eq 0 -j SNAT --to IPADDR
I couldn't have been more wrong here. The rule to detect the response to
an expired packet should check the ICMP type:
-t nat A POSTROUTING -p icmp
--icmp-type ttl-zero-during-<transit/reassembly>
<some restriction to the rule>
-j SNAT --to IPADDR
and you have to restrict the rule to limit your audience.
> Ramin
>
> >
> > But I haven't the sufficient skill to do myself the patch.
> > Is it scheduled?
> >
> > Or are they an other method?
> >
> > Thanks for your answers.
> >
> > Guillaume.
