Changing TTL on the new OpenWRT versions

Following this thread: Working Nftables Rule for TTL in 22.03

Wouldn't this solution be more user friendly?

Installing this 2 opkg's:

  • iptables-mod-ipopt
  • iptables-zz-legacy

Creating and filling the following file:

  • /etc/init.d/firewall-custom
#!/bin/sh /etc/rc.common

START=99

start() {

logger -t firewall-custom "Starting custom firewall rules"

Set TTL for outgoing packets on usb0
iptables -t mangle -A POSTROUTING -o usb0 -j TTL --ttl-set 65

Increment TTL for incoming packets on usb0
iptables -t mangle -A PREROUTING -i usb0 -j TTL --ttl-set 65

Set TTL for outgoing packets from 192.168.1.1
iptables -t mangle -A POSTROUTING -s 192.168.1.1 -j TTL --ttl-set 65

Set TTL for incoming packets destined to 192.168.1.1
iptables -t mangle -A PREROUTING -d 192.168.1.1 -j TTL --ttl-set 65

}

stop() {

logger -t firewall-custom "Stopping custom firewall rules"

Remove TTL setting for outgoing packets on usb0
iptables -t mangle -D POSTROUTING -o usb0 -j TTL --ttl-set 65

Remove TTL increment for incoming packets on usb0
iptables -t mangle -D PREROUTING -i usb0 -j TTL --ttl-set 65

logger -t ttl-custom "Removing TTL setting for 192.168.1.1"

Remove TTL setting for outgoing packets from 192.168.1.1
iptables -t mangle -D POSTROUTING -s 192.168.1.1 -j TTL --ttl-set 65

Remove TTL setting for incoming packets destined to 192.168.1.1
iptables -t mangle -D PREROUTING -d 192.168.1.1 -j TTL --ttl-set 65

}

sysctl -w net.ipv4.ip_default_ttl=65 ?

It is against iphone anti-tethering :wink:

Now i'm just trying to figure out why do i get 64 ttl when pinging tether ip on cmd, but if i use the OpenWRT gui to ping the same ip, it gives me 65.

Because coming back packet loses one hop. Wait a bit, ill get to keyboard and do nftables conversion :wink:

So what should be the best recommedation to achiving the same exact ttl on both devices? nftables? Thx

You just need to trick iphone setting ttl/hl on outgoing packets.
mangle - prerouting does not know -d destination address.

Would you be able to replicate and post it?

I'm on android btw

Yes, but not in an instant. You could go with iptables-nft which takes iptables plugin libraries too.

I use this for fw4 nftables, was posted on gl.inet forum some time ago

mkdir -p /usr/share/nftables.d/chain-pre/mangle_postrouting/
echo "ip ttl set 65" >  /usr/share/nftables.d/chain-pre/mangle_postrouting/01-set-ttl.nft
fw4 reload

ip ttl gt 1 ...

Oki
in /etc/nftables.d/ttl65.nft

chain raw_output {
        type filter hook output priority raw; policy accept;
        oif $wan_devices ip ttl { 2-64 , 66-255 } ip ttl set 65
        # oif $wan_devices ip6 hoplimit { 2-64 , 66-255 } ip6 hoplimit set 65
}

fw4 check -> confirm it is correct
fw4 print -> maybe you do not need customary ethernet wan to set ttl, so add just mobile interface in place of variable
service firewall restart

bytecode dump

inet (null) (null) use 0
// 2 value ranges lookup table
__set%d test1 7 size 5
__set%d test1 0
        element 00000000  : 1 [end]     element 00000002  : 0 [end]     element 00000041  : 1 [end]     element 00000042  : 0 [end]  userdata = { \x01\x04\x01\x00\x00\x00 }
inet test1 test2
// oif "lo"
  [ meta load oif => reg 1 ]
  [ cmp eq reg 1 0x00000001 ]
// implicit filter
  [ meta load nfproto => reg 1 ]
  [ cmp eq reg 1 0x00000002 ]
// ip ttl { .. }
  [ payload load 1b @ network header + 8 => reg 1 ]
  [ lookup reg 1 set __set%d ]
// ip ttl set
  [ payload load 2b @ network header + 8 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x0000ff00 ) ^ 0x00000041 ]
// implicit adjust checksum
  [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ]

given heavy bytecode worth setting ttl to 65 with sysctl to slip through
not compatible with either offload as they do ttl-1 and no way to override

nft -f /etc/nftables.d/ttl65.nft
/etc/nftables.d/ttl65.nft:1:18-18: Error: syntax error, unexpected '{', expecting string or last
chain raw_output {
                 ^
/etc/nftables.d/ttl65.nft:2:9-12: Error: syntax error, unexpected type
        type filter hook output priority raw; policy accept;
        ^^^^
/etc/nftables.d/ttl65.nft:2:47-52: Error: syntax error, unexpected policy
        type filter hook output priority raw; policy accept;
                                              ^^^^^^
/etc/nftables.d/ttl65.nft:3:9-11: Error: syntax error, unexpected oif
        oif $wan_devices ip ttl { 2-64 , 66-255 } ip ttl set 65
        ^^^
/etc/nftables.d/ttl65.nft:5:1-1: Error: syntax error, unexpected '}'
}
^

i tried to load the rule.

100% works for me.

ubus call system board

Where did you get that nft -f part from?

I ended up with this

#!/bin/sh

logger -t firewall-custom "Starting custom firewall rules"

# Flush existing mangle table rules
nft flush table inet mangle

# Create mangle table and chains if they don't exist
nft add table inet mangle

# Add chains for postrouting and prerouting with TTL modification
nft add chain inet mangle mangle_ttl_out { type filter hook postrouting priority mangle \; policy accept \; }
nft add chain inet mangle mangle_ttl_in { type filter hook prerouting priority mangle \; policy accept \; }

# Add rule to the mangle_ttl_out chain for outgoing packets on usb0
nft add rule inet mangle mangle_ttl_out oifname "usb0" ip ttl set 65

# Add rule to the mangle_ttl_in chain for incoming packets on usb0
nft add rule inet mangle mangle_ttl_in iifname "usb0" ip ttl set 65

# Add rule to the mangle_ttl_out chain for outgoing packets from 192.168.1.1
nft add rule inet mangle mangle_ttl_out ip saddr 192.168.1.1 ip ttl set 65

# Add rule to the mangle_ttl_in chain for incoming packets destined to 192.168.1.1
nft add rule inet mangle mangle_ttl_in ip daddr 192.168.1.1 ip ttl set 65

logger -t firewall-custom "Custom firewall rules applied"

ChatGPT xd