RE : "-j REJECT --reject-with icmp-time-exceeded"

[Kaddouch Guillaume]

----- Original Message ----- From: "Ramin Alidousti" <[EMAIL PROTECTED]> To: "Kaddouch Guillaume" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, May 01, 2002 2:34 AM Subject: Re: "-j REJECT --reject-with icmp-time-exceeded" > On Tue, Apr 30, 2002 at 11:00:15AM -0400, Ramin Alidousti wrote: > > > > I had forgot to say that it is for using with the "fake-source" > > > patch-o-matic that is already install to have a rule like this: > > > > > > ... -j REJECT --reject-with  icmp-time-exceeded  --fake-source IPADDR > > > > > > The rule with "-t mangle ..." doesn't allow me to specify an IP address. > > > > OK. Try to set the TTL in PREROUTING: > > > > -t mangle -A PREROUTING <some restriction to the rule> j TTL --ttl-set 0 > > > > and then when your box generates the time-exceeded in response to this > > rule, set the src in POSTROUTING: > > > > -t nat A POSTROUTING -m ttl --ttl-eq 0 -j SNAT --to IPADDR > > I couldn't have been more wrong here. The rule to detect the response to > an expired packet should check the ICMP type: > >  -t nat A POSTROUTING -p icmp >                      --icmp-type ttl-zero-during-<transit/reassembly> >                      <some restriction to the rule> >                      -j SNAT --to IPADDR   It is very intreresting to do it with this type of rule, but there are one thing that it's impossible with, it's to have a relation between the packet that arrive (like echo-request) and the packet that is sent (time-exceeded). For instance, if I want that packets from PC1 were returned with FAKE-SRC-IP1 and packets from PC2 were returned with a different fake source, I can't do it because the 2 packets that I send are the same, independant of the first match (that may be ip-src, or ttl, or other...).   I had try to mark input packet regarding the source ip, to do a different action regarding the mark of the output packet, but the mangle table is only for outbound traffic.   This rule is however better that nothing! Before, I was unable to send an only time-exceeded. But for personal use, I need more functionnality.   I really had a "brainstorming" before posting, but I can't find any solution.           Guillaume.   > > and you have to restrict the rule to limit your audience. > > > Ramin > > > > > > > > But I haven't the sufficient skill to do myself the patch. > > > Is it scheduled? > > > > > > Or are they an other method? > > > > > > Thanks for your answers. > > > > > >         Guillaume. >