Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
SDN 101: An Introduction to Software Defined Networking
Discover the advantages of SDN.
SDN has quickly become one of the hottest trends in IT. But not all SDN solutions offer real software-defined functionality. As more enterprises consider SDN, they want to know, “What is SDN? And what are the real benefits?” If you're ready to explore the advantages of SDN, and want to know how it should be implemented within your enterprise, start by reading our introductory white paper.
Click Here to receive this Complete Guide absolutely free.
Setting a correct TTL value for packets leaving your LAN doesn't make your isp,for example,see you have more than 1 computer on 1 connection.In my lan , pcs browsing the internet pass through 2 gateways (2 HOPS) my front router and my linuxfirewallbox.I have a debian 3.1 2.6 and i have set in /proc/sys/net/ipv4/ip_default_ttl a value of 64.I know this value depends on the number of hops the pachet has to pass before it reaches the destination,right?I don't want get traced by traceroutes either.Could someone point me to a link where this is explained good?Considering i use 2 gateways what value should i better set ?
Interesting reading if you really want to understand things.
Time to Live: 8 bits
This field indicates the maximum time the datagram is allowed to
remain in the internet system. If this field contains the value
zero, then the datagram must be destroyed. This field is modified
in internet header processing. The time is measured in units of
seconds, but since every module that processes a datagram must
decrease the TTL by at least one even if it process the datagram in
less than a second, the TTL must be thought of only as an upper
bound on the time a datagram may exist. The intention is to cause
undeliverable datagrams to be discarded, and to bound the maximum
One solution if you "don't want to get tracerouted" is to not accept packets with TTL<X , X being the number of hops of your network.
There are different approaches to this problem.
Don't forget to also block "record route" packets.
... PREROUTING because it's going to be for incoming traceroutes ... .If a traceroute is for a DMZ server it would have 2 hops before it so i think is better use --ttl-inc 2 option for server behind two gateways and --ttl-inc 1 for the firewall that has 1 gateway before it.My lan is:
[netgear-router] --- [FirewallLinux] --- [switch] --- [www] --- [mail&ftp]
+ /sbin/iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-inc 1
iptables: No chain/target/match by that name
POSTROUTING for the outgoing packets, so your ISP doesn't get nasty..
From man iptables..
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).
The standard Debian kernel-image-2.6 doesn't include TTL, hence the error messages, so you'll need to compile your own kernel if you want to use it..
For incoming traceroutes, you can drop your outgoing icmp responses with..
iptables -I OUTPUT -p icmp -m icmp --icmp-type time-exceeded -j DROP