LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Gentoo (https://www.linuxquestions.org/questions/gentoo-87/)
-   -   Setting TTL using IPTables in Gentoo (https://www.linuxquestions.org/questions/gentoo-87/setting-ttl-using-iptables-in-gentoo-4175678426/)

unassailable 07-09-2020 10:27 AM
Setting TTL using IPTables in Gentoo
 
My goal is to set the value of my connection's TTL, as demonstrated by [1] [2] [3] [4] [5] [6].

Fresh install of iptables/ip6tables following [7]

Code:
iptables -L -n
Chain INPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0         
ACCEPT    icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 3
ACCEPT    icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 11
ACCEPT    icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 12
REJECT    tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:113 flags:0x17/0x02 reject-with tcp-reset

Chain FORWARD (policy DROP)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination
When adding the rule
Code:
iptables -t mangle -A POSTROUTING -j TTL --ttl-set 65
I receive the error
Code:
iptables: No chain/target/match by that name.
[5] shows that ipt_ttl.ko was required circa 2007 and [6] shows this was succeeded by xt_state.ko circa 2009.

I've compiled my kernel and have loaded xt_state.ko, but the error still persists.

Code:
cat .config|grep -i _NETFILTER_
# CONFIG_NETFILTER_ADVANCED is not set
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NETFILTER_NETLINK_GLUE_CT=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
Code:
cat .config|grep -i mangle
CONFIG_IP_NF_MANGLE=y
CONFIG_IP6_NF_MANGLE=y
Code:
lsmod
Module                  Size  Used by
xt_state              16384  0
iptable_nat            16384  0
nf_nat_ipv4            16384  1 iptable_nat
nf_nat                32768  1 nf_nat_ipv4
xt_conntrack          16384  5
nf_conntrack          98304  4 xt_conntrack,nf_nat,xt_state,nf_nat_ipv4
nf_defrag_ipv6        16384  1 nf_conntrack
nf_defrag_ipv4        16384  1 nf_conntrack
I have also recompiled net-firewall/iptables with the conntrack, netlink, and nftables use flags, still no change.

Code:
[ebuild  R    ] net-firewall/iptables-1.6.1-r3:0/12::gentoo  USE="conntrack ipv6 netlink nftables (split-usr) -pcap -static-libs" 0 KiB
I assume that I'm missing something obvious. Has anyone dealt with this before on Gentoo?

tinfoil3d 07-10-2020 08:36 AM
Well it works in debian-like systems, but in PREROUTING. POSTROUTING wouldn't change TTL. What iptables says is your system probably lacks TTL target. WHY is not something I can tell right away though.

unassailable 10-09-2020 12:45 PM
Quote:
Originally Posted by tinfoil3d (Post 6143784)
What iptables says is your system probably lacks TTL target.
This was correct, the kernel required the following to be set
Code:
NETFILTER_ADVANCED [=y]
NETFILTER_XT_TARGET_HL [=m]
IP_NF_MATCH_TTL [=y]


All times are GMT -5. The time now is 12:04 PM.