Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Setting a correct TTL value for packets leaving your LAN doesn't make your isp,for example,see you have more than 1 computer on 1 connection.In my lan , pcs browsing the internet pass through 2 gateways (2 HOPS) my front router and my linuxfirewallbox.I have a debian 3.1 2.6 and i have set in /proc/sys/net/ipv4/ip_default_ttl a value of 64.I know this value depends on the number of hops the pachet has to pass before it reaches the destination,right?I don't want get traced by traceroutes either.Could someone point me to a link where this is explained good?Considering i use 2 gateways what value should i better set ?
Interesting reading if you really want to understand things.
Time to Live: 8 bits
This field indicates the maximum time the datagram is allowed to
remain in the internet system. If this field contains the value
zero, then the datagram must be destroyed. This field is modified
in internet header processing. The time is measured in units of
seconds, but since every module that processes a datagram must
decrease the TTL by at least one even if it process the datagram in
less than a second, the TTL must be thought of only as an upper
bound on the time a datagram may exist. The intention is to cause
undeliverable datagrams to be discarded, and to bound the maximum
One solution if you "don't want to get tracerouted" is to not accept packets with TTL<X , X being the number of hops of your network.
There are different approaches to this problem.
Don't forget to also block "record route" packets.
... PREROUTING because it's going to be for incoming traceroutes ... .If a traceroute is for a DMZ server it would have 2 hops before it so i think is better use --ttl-inc 2 option for server behind two gateways and --ttl-inc 1 for the firewall that has 1 gateway before it.My lan is:
[netgear-router] --- [FirewallLinux] --- [switch] --- [www] --- [mail&ftp]
+ /sbin/iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-inc 1
iptables: No chain/target/match by that name
POSTROUTING for the outgoing packets, so your ISP doesn't get nasty..
From man iptables..
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).
The standard Debian kernel-image-2.6 doesn't include TTL, hence the error messages, so you'll need to compile your own kernel if you want to use it..
For incoming traceroutes, you can drop your outgoing icmp responses with..
iptables -I OUTPUT -p icmp -m icmp --icmp-type time-exceeded -j DROP