Working Nftables Rule for TTL in 22.03

fdm · December 26, 2022, 12:39am

Not folklore, all US carriers use their DPI boxes to flag tethered traffic based on TTL/HL now. Sprint was the last carrier that did not enforce this.

andretoniolo · January 19, 2023, 11:09pm

Hi, sorry newbie here!
Whenever I add any custom rule to nftables.d, I got tons of errors when restarting fw4, as for example:

I am certainly doing something wrong, I just don't know what...
Thanks!

dave14305 · January 19, 2023, 11:50pm

Perhaps you have Windows CR/LF line endings in your include file, depending how you created it.

andretoniolo · January 20, 2023, 12:05am

Thanks Dave. I will have a look.
I've created it using Win10 create new txt and then edited it in Notepad++ by pasting the code from the this thread

dave14305 · January 20, 2023, 12:08am

Notepad++ has an option in the Edit menu for line endings to convert to Unix style. I’m not near a Windows computer to verify the menu name, but should be a simple fix.

andretoniolo · January 20, 2023, 4:55pm

Oh man, thank you so much. It worked perfectly!
In Notepad++: Edit --> EOL Conversion --> Uinix (LF)

Cheers!

thpryrchn · September 28, 2023, 2:32am

Turns out that I only need

chain mangle_postrouting_ttl65 {
  type filter hook postrouting priority 300; policy accept;
  counter ip ttl set 65
}

As that is all that is needed to change outgoing ttl

thpryrchn · October 7, 2023, 7:01am

Ok, so making all outgoing TTL's 65 makes traceroute not work... So I made a new version that just mangles the TTL's from mac and windows for a couple hops, This seems to make traceroute work.

EDIT: Modified it so it also works for IPv6. IPv6 uses hlim instead of ttl.. But this got me full speed on IPv4 and IPv6 through Visible.

The oifname { eth1, usb0 } are the outbound devices. change them for whatever you are using.

I have my router setup to work with Android and/or iPhone tethering. My router only has 1 usb, so I would need to use a powered hub to do both. I got a Samsung Galaxy A23 5g for $47 on eBay. and it works flawlessly. I even set USB tethering as the default for USB. And I didn't even need to root it.

cat /etc/nftables.d/12-mangle-ttl-65.nft 
chain mangle_postrouting_ttl65 {
  type filter hook postrouting priority 300; policy accept;
  oifname { eth1, usb0 } ip ttl 64 counter ip ttl set 65;
  oifname { eth1, usb0 } ip ttl 63 counter ip ttl set 65;
  oifname { eth1, usb0 } ip ttl 128 counter ip ttl set 65;
  oifname { eth1, usb0 } ip ttl 127 counter ip ttl set 65;

  oifname { eth1, usb0 } ip6 hoplimit 63 counter ip6 hoplimit set 65;
  oifname { eth1, usb0 } ip6 hoplimit 62 counter ip6 hoplimit set 65;
  oifname { eth1, usb0 } ip6 hoplimit 128 counter ip6 hoplimit set 65;
  oifname { eth1, usb0 } ip6 hoplimit 127 counter ip6 hoplimit set 65;
}

system · October 17, 2023, 7:01am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.