I need to determine which header fields in IP, TCP and ICMP packets will never (at least, in 99% of cases, excluding perhaps a bizarre overly-aggressive firewall) be altered by a firewall or NAT/gateway device, including both stateful and stateless.
For instance, I have observed that certain headers will be manipulated by the firewall/NAT device, such as the window size, or the presence of the PSH and URG flags. I believe even the 'data offset' ('doff' name in the TCP header struct) was affected at some point as well. How common are these manipulations for firewalls and NAT devices?
Those that I know shouldn't ever be changed, at least that I've observed and am looking for confirmation from the community here, are the TCP sequence ID#, the IP ID, the ICMP type, ICMP code, ICMP id/sequence # (when in ECHO), and I'd imagine the ICMP data.
Am I incorrect in thinking the TCP window size is manipulated by some firewall/NAT? What about the IP TTL? Would this be manipulated by a border device before reaching its destination?
Any other information about what headers are manipulated and what ever are not is much appreciated.
Best Answer
You are probably developing the new way of hidden tunneling )
As to the fields of IP, TCP, ICMP headers - you can't be absolutely sure that they will be untouched traveling the network. It mostly depends of source and destination network topology, security measures and network equipment or software. Even, the direction of traffic matters. It much differs when traffic flows for ex. from home network to your VDS server or from corporate PC to google server behind load balancer etc..
Echo request|reply
,destination unreachable
andTTL expired in transit
useful for tracerouteWell, your question is the reverse-engineering research in a way. Appreciate you share your experience afterward.