How filter icmp Code: 0 (Time to live exceeded in transit)

Please, help!

Openwrt 23.05

I try block icmp Type:11 Code: 0 (Time to live exceeded in transit) from WAN to LAN

config rule
	option name 'drop exceed'
	option src 'wan'
	option target 'DROP'
	list proto 'icmp'
	option family 'ipv4'
	option dest '*'
	list icmp_type 'ttl-zero-during-transit'

try more simply block all icmp from wan, but i steel receive in lan icmp ttl packet.

What I don't understand?

nft record


chain forward_wan {
                icmp type . icmp code { time-exceeded . net-unreachable } counter packets 0 bytes 0 drop comment "!fw4: drop exceed"
                jump drop_to_wan
        }

Do you mean you can ping your lan clients from internet ?

No, when I ping with low TTL my notebook receive packet "icmp Type:11 Code: 0 (Time to live exceeded in transit)"

for example: ping 1.1.1.1 -i 3

I understand that this is normal, but I want to filter this packet.

My final task is more specific.
and as I already said, simple icmp blocking does not work either.

It's easy to suppress outgoing icmp, but I only want to suppress replies

config rule
	option name 'drop exceed'
	option src 'wan'
	option target 'DROP'
	list proto 'icmp'
	option family 'ipv4'
	option dest '*'

Result

root@Router:~$ ping   1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=56 time=28.955 ms
64 bytes from 1.1.1.1: seq=1 ttl=56 time=25.834 ms
64 bytes from 1.1.1.1: seq=2 ttl=56 time=26.054 ms
64 bytes from 1.1.1.1: seq=3 ttl=56 time=26.775 ms
64 bytes from 1.1.1.1: seq=4 ttl=56 time=37.210 ms
^C

Blocking related and established connections requires some scripting:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset#established_connections

3 Likes
Error: syntax error, unexpected ct, expecting number
insert rule inet fw4 forward position ct state established,related accept comment "!fw4: Allow forwarded established and related flows" # handle 49
                                      ^^
Include '/etc/nftables.d/estab.sh' failed with exit code 1

fw4 ???? or simply reboot?

Try rebooting and then check the output:

nft -a list chain inet fw4 forward
sha256sum /etc/nftables.d/estab.sh
sh -x -v /etc/nftables.d/estab.sh

sh -x -v /etc/nftables.d/estab.sh

ER_RULE="$(nft -a list chain inet fw4 forward \
| sed -n -e "/\sestablished,related\saccept\s/p")"
+ nft -a list chain inet fw4 forward
+ sed -n -e '/\sestablished,related\saccept\s/p'
+ ER_RULE=
RJ_RULE="$(nft -a list chain inet fw4 forward \
| sed -n -e "/\shandle_reject\s/p")"
+ nft -a list chain inet fw4 forward
+ sed -n -e '/\shandle_reject\s/p'
+ RJ_RULE=
nft delete rule inet fw4 forward handle ${ER_RULE##* }
+ nft delete rule inet fw4 forward handle
Error: syntax error, unexpected newline, expecting number
delete rule inet fw4 forward handle
                                   ^
nft insert rule inet fw4 forward position ${RJ_RULE##* } ${ER_RULE}
+ nft insert rule inet fw4 forward position
Error: syntax error, unexpected newline, expecting number
insert rule inet fw4 forward position
988e45074f6782142911aa1fe5ec4c579c55a56ad9f75cea9c17995eabbd56cf  /etc/nftables.d/estab.sh
table inet fw4 {
        chain forward { # handle 3
                type filter hook forward priority filter; policy drop;
                ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state" # handle 178
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" # handle 179
                iifname { "wan", "phy0-sta0" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" # handle 181
        }
}
1 Like

my rule

config rule
	option name 'drop exceed'
	option src 'wan'
	option target 'DROP'
	list proto 'icmp'
	option family 'ipv4'
	option dest '*'

inserted to

chain forward_wan {
                meta l4proto icmp counter packets 0 bytes 0 drop comment "!fw4: drop exceed"
                jump drop_to_wan
        }

what do you think about this solution?

ER_RULE="$(nft -a list chain inet fw4 forward | sed -n -e "/\sestablished,related\saccept\s/p")"
nft delete rule inet fw4 forward handle ${ER_RULE##* }
nft add rule inet fw4 forward  ${ER_RULE}
1 Like

Looks like the ruleset depends on the forwarding policy.
I updated the code in the wiki to work for any policy.

1 Like

But with syntax

need to figure it out

I have tested the code using the forward policy of ACCEPT / DROP / REJECT as well as unspecified which is equivalent for DROP, and now it works correctly for each test case.
The insert or add commands should be used when the policy is REJECT or DROP respectively.
If the issue persists, make sure to reload the wiki page linked above and copy-paste the script again.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.