Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, guys
I was wondering how can I achieve such routing as the FreeBSD's ipstealth.
In other words, how can I make my linux to route like FreeBSD with ipstealth option compiled? I want my linux kernel not to touch the TTL value when routing internet. Can anyone tell me ? In *BSD is easy, but in linux ?
Hack /usr/src/linux/net/ip_forward.c, comment ip_decrease_ttl(iph); and recompile your kernel.
If you're trying to hide it from tracert (that is, Microsoft's traceroute) you can DROP ICMP type 11. That will only work against tracert though (the *NIX traceroute uses UDP).
Depends on how your kernel config is set up. I'd do both (not knowing what you have as modules), but you can try the bzImage first. The worst it can do is not work (or panic the machine ) ...
Out of morbid curiosity -- If you're not trying to hide from traceroute, what's the point?
OK, I've test it.
It works, but not quite...
First let me tell you why I'm doing this.
So...receive every packet from my ISP with TTL=0, originally this prevents NAT-ing,
I've patched my kernel with patch-o-matic for TTL target supprt and set the TTL to some other value so my machines behind the router have internet now.
But the "TTL target support" exercise is too boring, I need something quick and easy
In FreeBSD is very easy, just compile the kernel with ipstealth and everything is fine
So I want something like ipstealth in linux
sigsegv, I've test that you told
and it's work when there is some value different from zero
I set the TTL to 128 and a machine behind the router receives TTL=127
that was before
with my new kernel
the machine receives 128
but when I flush iptables, the TTL goes back to zero and the machines behind the router don't receive anything...
With FreeBSD they received same as the router (TTL=0)
/*
* According to the RFC, we must first decrease the TTL field. If
* that reaches zero, we must reply an ICMP control message telling
* that the packet's lifetime expired.
*/
iph = skb->nh.iph;
rt = (struct rtable*)skb->dst;
if (iph->ttl <= 1)
goto too_many_hops;
2 ugly things:
- there is a goto command
- (iph->ttl <= 1) also triggers for ttl=0 and ttl=1
Comment out
Code:
if (iph->ttl <= 1)
goto too_many_hops;
too, to ignore ttl (dangerous!! may cause packets to loop infinitely on your network, especially if you do it on more than one machine or the machine sends junk to itself).
stonux, these two lines are just condition
if TTL=0/1 it sends ICMP for expiration or something...
this have nothing to do with the IP header
and there is no reason of "looping infinitely"
sorry, but I thing you are generally wrong
read again my previous post
I'm not talking at an endless loop in the code.
I'm talking about packets endlessly loop on the network.
The reason why TTL has been introduced is not to prevent
ISP customers from NATting :-).
I just suspect that this "if" statement drops the packets.
Man, sorry, but I think you are nuts
I know what you mean!
But you are wrong.
How do you imagine this:
Quote:
packets endlessly loop on the network.
?
And about ISPs...
they don't really care about the reason why TTL field exists in the IP header. They just use it to prevent most of the clients to use NAT (although I can't see a method or technique an ISP can use to prevent some advanced UNIX user to NAT, but OK, let them set TTL=0 )
stonux, no offence meant !
I just don't agree with you
sorry
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.