LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-24-2015, 09:00 AM   #1
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Rep: Reputation: 11
Post How can I Simulating host unreachable via iptables?


Hello.
How can I write an iptables rule that Simulating host unreachable. When a user ping me, it show host unreachable.

Thank you.
 
Old 08-24-2015, 12:54 PM   #2
serafean
Member
 
Registered: Mar 2006
Location: Czech Republic
Distribution: Gentoo, Chakra
Posts: 997
Blog Entries: 15

Rep: Reputation: 136Reputation: 136
drop a packet with --reject-with icmp-host-unreachable. example command :
Code:
iptables -A INPUT -p icmp --reject-with icmp-host-unreachable -j DROP
(unsure about the parameter order) More information in iptables and iptables-extensions manpages.
 
Old 08-24-2015, 01:55 PM   #3
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,786

Rep: Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216
You can't simulate that 100. You can send an icmp "host unreachable" message, but the source IP address in that packet will be that of the host that it claims in unreachable. That's obviously impossible -- an unreachable host could not be sending a packet at all. A true "host unreachable" packet would have to come from a router upstream from that "unreachable" IP address.

You would be doing the equivalent of loudly announcing, "There's no one home!" when someone knocks on your door.

Last edited by rknichols; 08-24-2015 at 01:58 PM.
 
Old 08-24-2015, 11:54 PM   #4
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 11
What is your idea about it :

http://stackoverflow.com/questions/5...e-implement-it


I want to trick network scanner like Nmap. If you an IP can't ping it mean it is UP.
 
Old 08-25-2015, 08:25 AM   #5
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,786

Rep: Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216
Quote:
Originally Posted by hack3rcon View Post
That's inserting a rule on one machine to make it appear that a distant machine is unreachable, which is different from what you are trying to do. For you to do that, you would have to install the rule on the other user's machine.
Quote:
I want to trick network scanner like Nmap. If you an IP can't ping it mean it is UP.
Getting no response from a ping means that something is there and trying hard not to be seen. Again, if there were really no machine at that IP, the upstream router would return an icmp "Host unreachable" or "No route to host" packet.

You could try to SNAT the icmp response with the address of the upstream router, but that router might well refuse to pass such a received packet or raise an alarm that gets you in trouble with your ISP. This is getting into areas that might not be acceptable here on LQ, and I'm not going to pursue this further.
 
Old 08-25-2015, 01:22 PM   #6
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 11
Quote:
Originally Posted by rknichols View Post
That's inserting a rule on one machine to make it appear that a distant machine is unreachable, which is different from what you are trying to do. For you to do that, you would have to install the rule on the other user's machine.
Getting no response from a ping means that something is there and trying hard not to be seen. Again, if there were really no machine at that IP, the upstream router would return an icmp "Host unreachable" or "No route to host" packet.

You could try to SNAT the icmp response with the address of the upstream router, but that router might well refuse to pass such a received packet or raise an alarm that gets you in trouble with your ISP. This is getting into areas that might not be acceptable here on LQ, and I'm not going to pursue this further.
Thus, What is your idea about Trick Scanners ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Ping to Honeyd virtual host replying Destination Host Unreachable Doejohn Linux - Networking 2 12-22-2023 10:43 AM
iptables - Reply Forwarding Error / Destination unreachable (Host unreachable) keflex87 Linux - Networking 1 05-12-2015 12:03 AM
Network is Unreachable/Unknown host/Destination Host Unreachable [Debian] denv Linux - Networking 4 03-27-2014 02:58 PM
Simulating network topology with iptables WhiteTree Linux - Laptop and Netbook 5 10-22-2009 06:48 PM
Host unreachable toolkit Linux - Networking 7 07-09-2002 12:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration