LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-18-2006, 08:37 AM   #1
gabsik
Member
 
Registered: Dec 2005
Location: italia
Distribution: Debian Kali
Posts: 541

Rep: Reputation: 30
Question TTL value


Setting a correct TTL value for packets leaving your LAN doesn't make your isp,for example,see you have more than 1 computer on 1 connection.In my lan , pcs browsing the internet pass through 2 gateways (2 HOPS) my front router and my linuxfirewallbox.I have a debian 3.1 2.6 and i have set in /proc/sys/net/ipv4/ip_default_ttl a value of 64.I know this value depends on the number of hops the pachet has to pass before it reaches the destination,right?I don't want get traced by traceroutes either.Could someone point me to a link where this is explained good?Considering i use 2 gateways what value should i better set ?
grazie!
 
Old 04-19-2006, 05:39 AM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
The /proc setting is only for packets generated by the gateway..

For LAN packets use iptables on the firewallbox..

iptables -t mangle -A POSTROUTING -o eth~ -j TTL --ttl-set 64
(Use your outgoing eth interface name here)
See man iptables for mare details.
Set the TTL value to the same as the /proc setting.
 
Old 04-19-2006, 08:38 AM   #3
gabsik
Member
 
Registered: Dec 2005
Location: italia
Distribution: Debian Kali
Posts: 541

Original Poster
Rep: Reputation: 30
+ /sbin/iptables -t mangle -A OUTPUT -o eth0 -j TTL --ttl-set 64
iptables: No chain/target/match by that name

The chain mangle is a default one,right?,target TTL,too what is wrong with it ?
 
Old 04-19-2006, 10:23 AM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
It says POSTROUTING..
Not OUTPUT..

Check in man iptables if things don't work as expected.
Most syntax requirements are in there
 
Old 04-19-2006, 10:33 AM   #5
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
http://www.ietf.org/rfc/rfc0791.txt

Interesting reading if you really want to understand things.

Quote:
Time to Live: 8 bits

This field indicates the maximum time the datagram is allowed to
remain in the internet system. If this field contains the value
zero, then the datagram must be destroyed. This field is modified
in internet header processing. The time is measured in units of
seconds, but since every module that processes a datagram must
decrease the TTL by at least one even if it process the datagram in
less than a second, the TTL must be thought of only as an upper
bound on the time a datagram may exist. The intention is to cause
undeliverable datagrams to be discarded, and to bound the maximum
datagram lifetime.
One solution if you "don't want to get tracerouted" is to not accept packets with TTL<X , X being the number of hops of your network.
There are different approaches to this problem.

Don't forget to also block "record route" packets.
 
Old 04-20-2006, 02:19 AM   #6
gabsik
Member
 
Registered: Dec 2005
Location: italia
Distribution: Debian Kali
Posts: 541

Original Poster
Rep: Reputation: 30
Forgive me ...

... PREROUTING because it's going to be for incoming traceroutes ... .If a traceroute is for a DMZ server it would have 2 hops before it so i think is better use --ttl-inc 2 option for server behind two gateways and --ttl-inc 1 for the firewall that has 1 gateway before it.My lan is:
[netgear-router] --- [FirewallLinux] --- [switch] --- [www] --- [mail&ftp]

RIGHT ?????

Result:
+ /sbin/iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-inc 1
iptables: No chain/target/match by that name

Last edited by gabsik; 04-20-2006 at 02:49 AM.
 
Old 04-20-2006, 09:33 AM   #7
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
POSTROUTING for the outgoing packets, so your ISP doesn't get nasty..

From man iptables..
mangle:
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).

The standard Debian kernel-image-2.6 doesn't include TTL, hence the error messages, so you'll need to compile your own kernel if you want to use it..

For incoming traceroutes, you can drop your outgoing icmp responses with..
iptables -I OUTPUT -p icmp -m icmp --icmp-type time-exceeded -j DROP
 
Old 04-21-2006, 04:07 AM   #8
gabsik
Member
 
Registered: Dec 2005
Location: italia
Distribution: Debian Kali
Posts: 541

Original Poster
Rep: Reputation: 30
Nice and helpfull discussion .Thanx for the help,ciao!
 
  


Reply

Tags
iptables, ttl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
TTL change Cubiq Linux - Networking 11 08-13-2006 03:50 PM
IP TTL help SBK_bg Linux - Networking 2 09-29-2005 09:18 AM
TTL value is set to zero vkrishn1 Linux - Networking 0 01-11-2005 04:35 PM
Dns TTL (?) JJX Linux - Networking 0 11-03-2004 02:52 PM
TTL for kernel 2.6.6 kingka Linux - Networking 2 06-03-2004 01:01 PM


All times are GMT -5. The time now is 12:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration