TTL value

gabsik · 04-18-2006, 09:37 AM

Setting a correct TTL value for packets leaving your LAN doesn't make your isp,for example,see you have more than 1 computer on 1 connection.In my lan , pcs browsing the internet pass through 2 gateways (2 HOPS) my front router and my linuxfirewallbox.I have a debian 3.1 2.6 and i have set in /proc/sys/net/ipv4/ip_default_ttl a value of 64.I know this value depends on the number of hops the pachet has to pass before it reaches the destination,right?I don't want get traced by traceroutes either.Could someone point me to a link where this is explained good?Considering i use 2 gateways what value should i better set ?
grazie!

peter_robb · 04-19-2006, 06:39 AM

The /proc setting is only for packets generated by the gateway..

For LAN packets use iptables on the firewallbox..

iptables -t mangle -A POSTROUTING -o eth~ -j TTL --ttl-set 64
(Use your outgoing eth interface name here)
See man iptables for mare details.
Set the TTL value to the same as the /proc setting.

gabsik · 04-19-2006, 09:38 AM

+ /sbin/iptables -t mangle -A OUTPUT -o eth0 -j TTL --ttl-set 64
iptables: No chain/target/match by that name

The chain mangle is a default one,right?,target TTL,too what is wrong with it ?

peter_robb · 04-19-2006, 11:23 AM

It says POSTROUTING..
Not OUTPUT..

Check in man iptables if things don't work as expected.
Most syntax requirements are in there

nx5000 · 04-19-2006, 11:33 AM

http://www.ietf.org/rfc/rfc0791.txt

Interesting reading if you really want to understand things.

Quote:

Time to Live: 8 bits

This field indicates the maximum time the datagram is allowed to
remain in the internet system. If this field contains the value
zero, then the datagram must be destroyed. This field is modified
in internet header processing. The time is measured in units of
seconds, but since every module that processes a datagram must
decrease the TTL by at least one even if it process the datagram in
less than a second, the TTL must be thought of only as an upper
bound on the time a datagram may exist. The intention is to cause
undeliverable datagrams to be discarded, and to bound the maximum
datagram lifetime.

One solution if you "don't want to get tracerouted" is to not accept packets with TTL<X , X being the number of hops of your network.
There are different approaches to this problem.

Don't forget to also block "record route" packets.

gabsik · 04-20-2006, 03:19 AM

Forgive me ...

... PREROUTING because it's going to be for incoming traceroutes ... .If a traceroute is for a DMZ server it would have 2 hops before it so i think is better use --ttl-inc 2 option for server behind two gateways and --ttl-inc 1 for the firewall that has 1 gateway before it.My lan is:
[netgear-router] --- [FirewallLinux] --- [switch] --- [www] --- [mail&ftp]

RIGHT ?????

Result:
+ /sbin/iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-inc 1
iptables: No chain/target/match by that name

peter_robb · 04-20-2006, 10:33 AM

POSTROUTING for the outgoing packets, so your ISP doesn't get nasty..

From man iptables..
mangle:
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).

The standard Debian kernel-image-2.6 doesn't include TTL, hence the error messages, so you'll need to compile your own kernel if you want to use it..

For incoming traceroutes, you can drop your outgoing icmp responses with..
iptables -I OUTPUT -p icmp -m icmp --icmp-type time-exceeded -j DROP

gabsik · 04-21-2006, 05:07 AM

Nice and helpfull discussion .Thanx for the help,ciao!