Following this thread: Working Nftables Rule for TTL in 22.03
Wouldn't this solution be more user friendly?
Installing this 2 opkg's:
iptables-mod-ipopt
iptables-zz-legacy
Creating and filling the following file:
/etc/init.d/firewall-custom
#!/bin/sh /etc/rc.common
START=99
start() {
logger -t firewall-custom "Starting custom firewall rules"
Set TTL for outgoing packets on usb0
iptables -t mangle -A POSTROUTING -o usb0 -j TTL --ttl-set 65
Increment TTL for incoming packets on usb0
iptables -t mangle -A PREROUTING -i usb0 -j TTL --ttl-set 65
Set TTL for outgoing packets from 192.168.1.1
iptables -t mangle -A POSTROUTING -s 192.168.1.1 -j TTL --ttl-set 65
Set TTL for incoming packets destined to 192.168.1.1
iptables -t mangle -A PREROUTING -d 192.168.1.1 -j TTL --ttl-set 65
}
stop() {
logger -t firewall-custom "Stopping custom firewall rules"
Remove TTL setting for outgoing packets on usb0
iptables -t mangle -D POSTROUTING -o usb0 -j TTL --ttl-set 65
Remove TTL increment for incoming packets on usb0
iptables -t mangle -D PREROUTING -i usb0 -j TTL --ttl-set 65
logger -t ttl-custom "Removing TTL setting for 192.168.1.1"
Remove TTL setting for outgoing packets from 192.168.1.1
iptables -t mangle -D POSTROUTING -s 192.168.1.1 -j TTL --ttl-set 65
Remove TTL setting for incoming packets destined to 192.168.1.1
iptables -t mangle -D PREROUTING -d 192.168.1.1 -j TTL --ttl-set 65
}
sysctl -w net.ipv4.ip_default_ttl=65 ?
It is against iphone anti-tethering
Now i'm just trying to figure out why do i get 64 ttl when pinging tether ip on cmd, but if i use the OpenWRT gui to ping the same ip, it gives me 65.
Because coming back packet loses one hop. Wait a bit, ill get to keyboard and do nftables conversion
So what should be the best recommedation to achiving the same exact ttl on both devices? nftables? Thx
You just need to trick iphone setting ttl/hl on outgoing packets.
Would you be able to replicate and post it?
brada4
July 6, 2024, 7:32pm
10
Yes, but not in an instant. You could go with iptables-nft which takes iptables plugin libraries too.
Ieo
July 6, 2024, 7:36pm
11
I use this for fw4 nftables, was posted on gl.inet forum some time ago
mkdir -p /usr/share/nftables.d/chain-pre/mangle_postrouting/
echo "ip ttl set 65" > /usr/share/nftables.d/chain-pre/mangle_postrouting/01-set-ttl.nft
fw4 reload
brada4
July 6, 2024, 8:25pm
13
Oki/etc/nftables.d/ttl65.nft
chain raw_output {
type filter hook output priority raw; policy accept;
oif $wan_devices ip ttl { 2-64 , 66-255 } ip ttl set 65
# oif $wan_devices ip6 hoplimit { 2-64 , 66-255 } ip6 hoplimit set 65
}
fw4 check -> confirm it is correct
1 Like
brada4
July 6, 2024, 8:31pm
14
bytecode dump
inet (null) (null) use 0
// 2 value ranges lookup table
__set%d test1 7 size 5
__set%d test1 0
element 00000000 : 1 [end] element 00000002 : 0 [end] element 00000041 : 1 [end] element 00000042 : 0 [end] userdata = { \x01\x04\x01\x00\x00\x00 }
inet test1 test2
// oif "lo"
[ meta load oif => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
// implicit filter
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
// ip ttl { .. }
[ payload load 1b @ network header + 8 => reg 1 ]
[ lookup reg 1 set __set%d ]
// ip ttl set
[ payload load 2b @ network header + 8 => reg 1 ]
[ bitwise reg 1 = ( reg 1 & 0x0000ff00 ) ^ 0x00000041 ]
// implicit adjust checksum
[ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ]
given heavy bytecode worth setting ttl to 65 with sysctl to slip through
nft -f /etc/nftables.d/ttl65.nft
/etc/nftables.d/ttl65.nft:1:18-18: Error: syntax error, unexpected '{', expecting string or last
chain raw_output {
^
/etc/nftables.d/ttl65.nft:2:9-12: Error: syntax error, unexpected type
type filter hook output priority raw; policy accept;
^^^^
/etc/nftables.d/ttl65.nft:2:47-52: Error: syntax error, unexpected policy
type filter hook output priority raw; policy accept;
^^^^^^
/etc/nftables.d/ttl65.nft:3:9-11: Error: syntax error, unexpected oif
oif $wan_devices ip ttl { 2-64 , 66-255 } ip ttl set 65
^^^
/etc/nftables.d/ttl65.nft:5:1-1: Error: syntax error, unexpected '}'
}
^
i tried to load the rule.
brada4
July 6, 2024, 9:11pm
18
Where did you get that nft -f part from?
I ended up with this
#!/bin/sh
logger -t firewall-custom "Starting custom firewall rules"
# Flush existing mangle table rules
nft flush table inet mangle
# Create mangle table and chains if they don't exist
nft add table inet mangle
# Add chains for postrouting and prerouting with TTL modification
nft add chain inet mangle mangle_ttl_out { type filter hook postrouting priority mangle \; policy accept \; }
nft add chain inet mangle mangle_ttl_in { type filter hook prerouting priority mangle \; policy accept \; }
# Add rule to the mangle_ttl_out chain for outgoing packets on usb0
nft add rule inet mangle mangle_ttl_out oifname "usb0" ip ttl set 65
# Add rule to the mangle_ttl_in chain for incoming packets on usb0
nft add rule inet mangle mangle_ttl_in iifname "usb0" ip ttl set 65
# Add rule to the mangle_ttl_out chain for outgoing packets from 192.168.1.1
nft add rule inet mangle mangle_ttl_out ip saddr 192.168.1.1 ip ttl set 65
# Add rule to the mangle_ttl_in chain for incoming packets destined to 192.168.1.1
nft add rule inet mangle mangle_ttl_in ip daddr 192.168.1.1 ip ttl set 65
logger -t firewall-custom "Custom firewall rules applied"
