My goal is to set the value of my connection's TTL, as demonstrated by
[1] [2] [3] [4] [5] [6].
Fresh install of iptables/ip6tables following
[7]
Code:
iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 flags:0x17/0x02 reject-with tcp-reset
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
When adding the rule
Code:
iptables -t mangle -A POSTROUTING -j TTL --ttl-set 65
I receive the error
Code:
iptables: No chain/target/match by that name.
[5] shows that ipt_ttl.ko was required circa 2007 and
[6] shows this was succeeded by xt_state.ko circa 2009.
I've compiled my kernel and have loaded xt_state.ko, but the error still persists.
Code:
cat .config|grep -i _NETFILTER_
# CONFIG_NETFILTER_ADVANCED is not set
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NETFILTER_NETLINK_GLUE_CT=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
Code:
cat .config|grep -i mangle
CONFIG_IP_NF_MANGLE=y
CONFIG_IP6_NF_MANGLE=y
Code:
lsmod
Module Size Used by
xt_state 16384 0
iptable_nat 16384 0
nf_nat_ipv4 16384 1 iptable_nat
nf_nat 32768 1 nf_nat_ipv4
xt_conntrack 16384 5
nf_conntrack 98304 4 xt_conntrack,nf_nat,xt_state,nf_nat_ipv4
nf_defrag_ipv6 16384 1 nf_conntrack
nf_defrag_ipv4 16384 1 nf_conntrack
I have also recompiled net-firewall/iptables with the conntrack, netlink, and nftables use flags, still no change.
Code:
[ebuild R ] net-firewall/iptables-1.6.1-r3:0/12::gentoo USE="conntrack ipv6 netlink nftables (split-usr) -pcap -static-libs" 0 KiB
I assume that I'm missing something obvious. Has anyone dealt with this before on Gentoo?