custom ICMP message in iptables
Robert Nichols
rnicholsNOSPAM at comcast.net
Wed Sep 23 15:29:42 UTC 2009
Jatin K wrote:
> Dear all,
>
>
> I'm wondering that, is there any method to add custom ICMP message to
> iptables ... e.g say I block Echo Request (ping) through
> system-config-firewall, other systems on my network cannot ping my
> system ... but on on the system from where I try to ping .. it shows
> message like [1]
>
> [1] From xxx.xxx.xxx.xxx icmp_seq=xxx Destination Host Prohibited
>
> problem is that anyone can determine that my system is alive and icmp
> request is blocked
>
>
> instead of this I want like this [2]
>
> [2] From xxx.xxx.xxx.xxx icmp_seq=xxx Destination Host *Unreachable *
Sure, you can add "--reject-with icmp-host-unreachable" to that rule.
Of course the ICMP packet you send will have a source IP address of
the machine that the packet claims is unreachable, and that just
screams, "This system is run by an incompetent doofus who is trying
to claim his machine doesn't exist."
You can also just use the DROP target instead of REJECT. That also
makes it apparent that there is a machine here that is trying hard
not to be seen, since if it really didn't exist the upstream router
would have responded with icmp-{host|network}-unreachable.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
More information about the fedora-list
mailing list