Bypass Anti Tethering

vim /etc/init.d/firewall-custom

Insert this scripts into firewall-custom

#!/bin/sh /etc/rc.common

START=99

start() {

logger -t firewall-custom "Starting custom firewall rules"

Also bypass TTL/HL detections for other devices that connect to this device.

Routers (as the client) require their own TTL/HL increment script.

Tethering interfaces -> rndis0: USB, wlan1: Wi-Fi, bt-pan: Bluetooth.

-A: last rule in chain, -I: head /first rule in chain (by default).

iptables -t mangle -A PREROUTING -i wlan0 -j TTL --ttl-inc 65
iptables -t mangle -I POSTROUTING -o wlan0 -j TTL --ttl-inc 65
ip6tables -t mangle -A PREROUTING ! -p icmpv6 -i wlan0 -j HL --hl-inc 65
ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o wlan0 -j HL --hl-inc 65

Set TTL for outgoing packets on wlan0

iptables -t mangle -A POSTROUTING -o (ex. wlan0) -j TTL --ttl-set 65

Increment TTL for incoming packets on wlan0

iptables -t mangle -A PREROUTING -i (ex. wlan0) -j TTL --ttl-set 65

Set TTL for outgoing packets from 10.0.0.1

iptables -t mangle -A POSTROUTING -s (ex. 10.0.0.1) -j TTL --ttl-set 65

Set TTL for incoming packets destined to 10.0.0.1

iptables -t mangle -A PREROUTING -d (ex. 10.0.0.1) -j TTL --ttl-set 65

}

stop() {

logger -t firewall-custom "Stopping custom firewall rules"

Remove TTL setting for outgoing packets on wlan0

iptables -t mangle -D POSTROUTING -o (ex. wlan0) -j TTL --ttl-set 65

Remove TTL increment for incoming packets on wlan0

iptables -t mangle -D PREROUTING -i (ex. wlan0) -j TTL --ttl-set 65

logger -t ttl-custom "Removing TTL setting for 10.0.0.1"

Remove TTL setting for outgoing packets from 10.0.0.1

iptables -t mangle -D POSTROUTING -s ( ex. 10.0.0.1) -j TTL --ttl-set 65

Remove TTL setting for incoming packets destined to 10.0.0.1

iptables -t mangle -D PREROUTING -d (ex. 10.0.0.1) -j TTL --ttl-set 65
}

Just FYI:

  • There's quite a few threads on this already
  • OpenWrt switched from iptables to nftables in a former release - this won't work by default on newer firmware
  • Other threads provide native nft syntax to perform the same function without installing additional software
4 Likes

Kinda converted particular ruleset yesterday.

Interestingly which provider started to battle tethering to rise interest in this....

1 Like

this is only applicable on wireless hotspot with anti tethering enabled. It's like receiving 1 ttl and broadcast it into 64 ttl

AP ttl=1 radio0 -> Openwrt router radio1 ttl=64

There is other check for ttl=64 in upload direction sometimes.
something like ping -t 62 8.8.8.8 should be dropped then from the phone or lan.

1 Like

Im connected to the AP with ttl=1 from a gateway 10.0.0.1 (Anti Tethering Enable) using this Keenetic router on WISP mode it will set ttl Outbound into 64 instead of 0

those iptables rules are for wireless isp mode only that will accept ttl=1 and broadcast ttl=64 for wireless clients


Test outside site not gw...

1 Like