LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Gentoo
Reload this Page [SOLVED] Setting TTL using IPTables in Gentoo
User Name
Password
Gentoo This forum is for the discussion of Gentoo Linux.

Notices


Reply
  Search this Thread
Old 07-09-2020, 10:27 AM   #1
unassailable
Member
 
Registered: May 2012
Distribution: gentoo, debian, qubes, openELEC
Posts: 42

Rep: Reputation: 2
Setting TTL using IPTables in Gentoo

My goal is to set the value of my connection's TTL, as demonstrated by [1] [2] [3] [4] [5] [6].

Fresh install of iptables/ip6tables following [7]

Code:
iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 12
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:113 flags:0x17/0x02 reject-with tcp-reset

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
When adding the rule
Code:
iptables -t mangle -A POSTROUTING -j TTL --ttl-set 65
I receive the error
Code:
iptables: No chain/target/match by that name.
[5] shows that ipt_ttl.ko was required circa 2007 and [6] shows this was succeeded by xt_state.ko circa 2009.

I've compiled my kernel and have loaded xt_state.ko, but the error still persists.

Code:
cat .config|grep -i _NETFILTER_
# CONFIG_NETFILTER_ADVANCED is not set
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NETFILTER_NETLINK_GLUE_CT=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
Code:
cat .config|grep -i mangle
CONFIG_IP_NF_MANGLE=y
CONFIG_IP6_NF_MANGLE=y
Code:
lsmod
Module                  Size  Used by
xt_state               16384  0
iptable_nat            16384  0
nf_nat_ipv4            16384  1 iptable_nat
nf_nat                 32768  1 nf_nat_ipv4
xt_conntrack           16384  5
nf_conntrack           98304  4 xt_conntrack,nf_nat,xt_state,nf_nat_ipv4
nf_defrag_ipv6         16384  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
I have also recompiled net-firewall/iptables with the conntrack, netlink, and nftables use flags, still no change.

Code:
[ebuild   R    ] net-firewall/iptables-1.6.1-r3:0/12::gentoo  USE="conntrack ipv6 netlink nftables (split-usr) -pcap -static-libs" 0 KiB
I assume that I'm missing something obvious. Has anyone dealt with this before on Gentoo?
 
Old 07-10-2020, 08:36 AM   #2
tinfoil3d
Member
 
Registered: Apr 2020
Location: Japan/RJCC
Distribution: debian, lfs, whatever else i need in qemu
Posts: 268

Rep: Reputation: 75
Well it works in debian-like systems, but in PREROUTING. POSTROUTING wouldn't change TTL. What iptables says is your system probably lacks TTL target. WHY is not something I can tell right away though.
 
Old 10-09-2020, 12:45 PM   #3
unassailable
Member
 
Registered: May 2012
Distribution: gentoo, debian, qubes, openELEC
Posts: 42

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by tinfoil3d View Post
What iptables says is your system probably lacks TTL target.
This was correct, the kernel required the following to be set
Code:
NETFILTER_ADVANCED [=y]
NETFILTER_XT_TARGET_HL [=m]
IP_NF_MATCH_TTL [=y]
 
  


Reply

Tags
iptables, kernel, module, tethers, ttl



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Iptables TTL matchs reaven Linux - Security 2 04-13-2010 03:58 PM
iptables TTL change does not work iiv Linux - Networking 3 12-03-2007 08:57 AM
Help setting TTL tnine9 Linux - Networking 1 01-29-2007 04:19 PM
Using tcpdump to find out the TTL of a packet going outside my box Menestrel Linux - Networking 4 01-20-2006 11:03 AM
JAVA: Problems in using TTL(TimeToLive) option nedian123 Programming 0 07-08-2004 06:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Gentoo

All times are GMT -5. The time now is 07:54 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration