LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-28-2016, 04:39 PM   #1
Littleolme
LQ Newbie
 
Registered: May 2016
Posts: 8

Rep: Reputation: Disabled
TTL modification not working in DDWRT router


I've asked on forums dedicated to DDWRT but received zero help. I'm hoping this community will be more helpful.

My ISP is blocking routers by reducing the TTL down to 1 on packets forwarded back to the customers.

I am trying to increase the TTL on PREROUTED packets. My commands aren't being rejected, nor are they working.

The table prior to my command:

Code:
iptables -t mangle -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
MARK       0    --  anywhere             10.159.2.121         MARK or 0x80000000
CONNMARK   0    --  anywhere             anywhere            CONNMARK save
The command I am using, or variations of it:

Code:
iptables -t mangle -I PREROUTING 1 -i eth0 -j TTL --ttl-set 10
Showing the table again shows no changes and my pings through the router are still failing and no web pages are reachable.

I've been beating my head against this problem for weeks now. I could really use some advice.
 
Old 05-28-2016, 05:21 PM   #2
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,760

Rep: Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207
Please include the "-v" option when listing the table so that all qualifiers are shown, or else just post the relevant lines from "iptables-save". Otherwise, I don't see anything wrong in what you've done. Does "iptables -t mangle -vnL" show increasing packet counts for this rule?

EDIT: Actually, there is an issue for outgoing packets. That TTL is limiting your outgoing packets to 9 hops. If your incoming packets are reaching their destination and it's just the replies that are getting lost, that could be the issue. Try a more reasonable value like 64.

Last edited by rknichols; 05-28-2016 at 05:38 PM.
 
Old 05-28-2016, 05:58 PM   #3
Littleolme
LQ Newbie
 
Registered: May 2016
Posts: 8

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by rknichols View Post
Please include the "-v" option when listing the table so that all qualifiers are shown, or else just post the relevant lines from "iptables-save". Otherwise, I don't see anything wrong in what you've done. Does "iptables -t mangle -vnL" show increasing packet counts for this rule?

EDIT: Actually, there is an issue for outgoing packets. That TTL is limiting your outgoing packets to 9 hops. If your incoming packets are reaching their destination and it's just the replies that are getting lost, that could be the issue. Try a more reasonable value like 64.
My rule never appears in the table. Shouldn't I see a third line in the output after applying my command? Here is the iptables -t mangle -vnL output:

Code:
 iptables -t mangle -L PREROUTING -v
Chain PREROUTING (policy ACCEPT 264K packets, 23M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   28  2700 MARK       0    --  !eth0  any     anywhere             10.159.2.121         MARK or 0x80000000
 264K   23M CONNMARK   0    --  any    any     anywhere             anywhere            CONNMARK save
Why is the interface shown as "!eth0"? I tried adding the bang to my command and it rejects it.

eth0 is my WAN interface. I am attempting to capture traffic coming back into my network and increase the TTL prior to the router handling the packet. Without my router in place, this is what a ping to Googles DNS looks like:

Code:
Reply from 8.8.8.8: bytes=32 time=159ms TTL=1
Reply from 8.8.8.8: bytes=32 time=159ms TTL=1
Reply from 8.8.8.8: bytes=32 time=154ms TTL=1
Reply from 8.8.8.8: bytes=32 time=158ms TTL=1
Once I get this PREROUTING command to work I will modify POSTROUTING to increase the TTL on my outgoing packets to hide my router.

Thanks for responding, by the way. Yours is the first response I have received in two weeks of asking for help on other sites.
 
Old 05-28-2016, 09:32 PM   #4
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,760

Rep: Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207
Quote:
Originally Posted by Littleolme View Post
My rule never appears in the table. Shouldn't I see a third line in the output after applying my command?
Yes, the rule should definitely appear there. Is there perhaps some firewall daemon that keeps updating the rules? (That seems pretty unlikely unless your "router" is, like mine, an ordinary Linux machine that happens to have more than one network interface.)
Quote:
Why is the interface shown as "!eth0"? I tried adding the bang to my command and it rejects it.
The syntax is more restrictive than it used to be. Either of these used to be equivalent:
Code:
! -i eth0
-i !eth0
Now, only the first form is acceptable. (There are some cases where the infix form can be confusing to humans.)
 
Old 05-29-2016, 04:20 AM   #5
Littleolme
LQ Newbie
 
Registered: May 2016
Posts: 8

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by rknichols View Post
Yes, the rule should definitely appear there. Is there perhaps some firewall daemon that keeps updating the rules? (That seems pretty unlikely unless your "router" is, like mine, an ordinary Linux machine that happens to have more than one network interface.)The syntax is more restrictive than it used to be. Either of these used to be equivalent:
Code:
! -i eth0
-i !eth0
Now, only the first form is acceptable. (There are some cases where the infix form can be confusing to humans.)
My router is a Trendnet TEW-824DRU. It is just a small home router with the typical 4 switch interfaces and one routed WAN interface.

It does have a firewall that will erase the configs after a reboot unless I add my commands to a firewall script, but from what I understand I should be able to test the commands on the command line and add them to the script once I confirm they work.

I keep changing the format of the command and adding more to it without any success. Here is the current format:

Code:
iptables -t mangle -I PREROUTING 1 -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j TTL --ttl-set 10
-i ! eth0 is accepted as well, but doesn't work either.
 
Old 05-29-2016, 04:22 AM   #6
Littleolme
LQ Newbie
 
Registered: May 2016
Posts: 8

Original Poster
Rep: Reputation: Disabled
For reference, this is the iptables command help:

Code:
iptables v1.3.7

Usage: iptables -[AD] chain rule-specification [options]
       iptables -[RI] chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LFZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain            Append to chain
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain]          List the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain]          Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
  --delete-chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
  --proto       -p [!] proto    protocol: by number or name, eg. `tcp'
  --source      -s [!] address[/mask]
                                source specification
  --destination -d [!] address[/mask]
                                destination specification
  --in-interface -i [!] input name[+]
                                network interface name ([+] for wildcard)
  --jump        -j target
                                target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
  --out-interface -o [!] output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=<command>          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.
 
Old 05-29-2016, 10:09 AM   #7
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,760

Rep: Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207
This is really strange. I tried that on a Linksys WRT-54GL router I have running DD-WRT, and the rule inserts just fine.
Code:
root@DD-WRT:~# iptables -t mangle -I PREROUTING 1 -i eth0 -j TTL --ttl-set 37; echo $?
0
root@DD-WRT:~# iptables -t mangle -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 478 packets, 30689 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TTL        0    --  eth0   *       0.0.0.0/0            0.0.0.0/0           TTL set to 37
My router is running the same iptables v1.3.7 that you have. I don't know what is happening, but it doesn't seem to be anything you are doing wrong. I did make several errors slightly mistyping the command, and no error message was displayed. Only by checking the return code ("echo $?") could I see that the command was rejected. Do make sure you aren't doing something similar.
 
Old 05-29-2016, 10:59 AM   #8
Littleolme
LQ Newbie
 
Registered: May 2016
Posts: 8

Original Poster
Rep: Reputation: Disabled
What do you receive from the echo command when the command works? I added it and all is receive back is "1".

Never mind, I see the "0". I need to research what the echo does.

Last edited by Littleolme; 05-29-2016 at 12:38 PM.
 
Old 05-29-2016, 01:01 PM   #9
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,760

Rep: Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207
The "echo $?" shows the return code from the immediately preceding command. A non-zero value generally indicates some sort of failure. Note the word "immediately." If you run "echo $?" a second time, the code will be from the echo command that preceded it, and that will always be 0.
 
Old 05-29-2016, 03:30 PM   #10
Littleolme
LQ Newbie
 
Registered: May 2016
Posts: 8

Original Poster
Rep: Reputation: Disabled
I wonder if I have a buggy DDWRT build. I'll research how to upgrade or downgrade if necessary. Thanks for your assistance.
 
Old 06-01-2016, 12:06 PM   #11
Littleolme
LQ Newbie
 
Registered: May 2016
Posts: 8

Original Poster
Rep: Reputation: Disabled
Well, I downgraded my build and am having the same result.

Previously: V3.0 build 27745 (listed as Beta in the Wiki).

I downgraded to V3.0 build 27722.

Nothing changed, same result. I'm about to throw out this router and buy a Linksys.
 
Old 06-01-2016, 01:45 PM   #12
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,760

Rep: Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207
It sounds as though you're requesting something that just isn't implemented in the kernel. I'm running a fairly ancient** build 12533 v24-sp2 from 7/21/2009, so I really can't help with any of the newer builds.
** It's just a wireless access point and switch with all routing functions disabled and no direct connection to the outside world. I'm not terribly worried that someone's going to hack into it.
 
Old 06-02-2016, 10:51 AM   #13
Littleolme
LQ Newbie
 
Registered: May 2016
Posts: 8

Original Poster
Rep: Reputation: Disabled
I just ordered a Broadcom chipped router. They seem to be more popular so hopefully I will have better luck with it.
 
Old 04-28-2017, 05:13 PM   #14
Packetman007
LQ Newbie
 
Registered: Apr 2017
Location: Sacramento
Posts: 1

Rep: Reputation: Disabled
IP TTL Changes

Are you still working to change TTL values on iptables?

I am looking for some help to individually change ttl on about 25 select ip addresses on their way outbound.

I am hoping to find a programmer to perhaps write some code to help us change ttl more easily by device.

If you have an advice or where to go I'd appreciate your help.

Bill
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how do I tell if my ddwrt router turned switch is the bottleneck cjae Linux - Networking 2 01-23-2013 08:29 PM
[SOLVED] Moving drivers from MacOSX to linux (ddwrt) router using Terminal (SSH). NRV85 Linux - Newbie 5 12-12-2011 12:56 AM
DDwrt/OpenVPN, vpn works on router, not for computers connected Nadine88 Linux - Newbie 0 08-11-2011 05:04 AM
Panel Icon modification is not working? sajeshdude Linux - Newbie 4 06-21-2011 12:48 PM
change ttl number in a router pusrob Linux - Networking 4 08-16-2007 08:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration