increasing TTL how to ?

[tomilius]

Does iptables in 1.9.2.7-4 or any other firmware support TTL matching? That would be a useful security feature for allowing IGMP only from local sources...

[mctiew]

Does iptables in 1.9.2.7-4 or any other firmware support TTL matching? That would be a useful security feature for allowing IGMP only from local sources...

Yes, I created one - based on 1.9.2.7-4 which can do that.

But I am not sure if it is a good idea for you to use my firmware.

Cheers.

[tomilius]

Hmm... prithee upload it apart from your firmware if that's possible.

I did some research before I created this thread, actually, and found out that libipt_ttl.so is needed; I just didn't know where to request features... hehe...

[Oleg]

well, in fact filtering based on ttl is not a good idea, except of ttl==1. why don't you filter based on source mac?

[tomilius]

I've already struggled to try to get the MAC of the IGMP source and have tried allowing it but it hasn't worked. Anyway, yes, I would be testing for a TTL of 1.

[mctiew]

I've already struggled to try to get the MAC of the IGMP source and have tried allowing it but it hasn't worked. Anyway, yes, I would be testing for a TTL of 1.

I have included the kernel modules ipt_TTL.o and ipt_ttl.o. Without using the corresponding kernel and iptables which I compiled, I am not sure if it is going to work by patching these modules alone.

I Hope it will work, then it saves you lots of trouble.

Cheers

[tomilius]

Thank you! I'll try it soon.

EDIT: I think I'll wait for my pen drive to come in, actually, which should be in a few days, just to save myself from extra hassle. Thanks, though.

[tomilius]

Hmm... it's not a shared object library.. or something.
It's a .o instead of a .so like the others *gasp*
Can't make it work be renaming.
Thanks though... really not that urgent either.... though thinking more about it that connlimit thing would be above excellent

[mctiew]

Hmm... it's not a shared object library.. or something.
It's a .o instead of a .so like the others *gasp*
Can't make it work be renaming.
Thanks though... really not that urgent either.... though thinking more about it that connlimit thing would be above excellent

It is not a userspace program. It's for use by the kernel, although at this moment I am not sure if the user space counter part is present or not. You could ***TRY*** to use it this way ( for example ),

cd what_ever_path
insmod ipt_ttl.o
( if you need the ttl match )
insmod ipt_TTL.o
( if you need the TTL target )

Cheers

[tomilius]

Nope. Not happening. Thanks though.

The TTL target is included in 1.9.2.7-4, isn't it?

[hsca]

Hi when I try this script on oleg's firmware give me error

iptables -t mangle -I PREROUTING -i vlan1 -j TTL --ttl-set 10

"iptables: No chain/target/match by that name"

It works without any problem with DD-WRT firmaware


How can I increase because my ISP set this value to 1 and I cannot use internet connection more than 1 PS etc...

My router is Asus WL-500gx

[Oleg]

insmod ipt_TTL.o or something like this.

[hsca]

Yes you are right without this module will not work
Now working very well
only need to write nvram

Thank you Oleg

[wojto22]

Hello It is my first post on this forum I had to change settings of TTL value and now i can again share my internet connection baut everytime when i switch off my Asus WL-500g premium i have to make everything once again!! How can i save it... ?? I try: nvram commit but after this is the same...

Here is what i did:

insmod ipt_TTL.o
iptables -t mangle -I PREROUTING -i vlan1 -j TTL --ttl-set 10

how can i write it to nvram??

[danielb]

what you need is to add those lines to /usr/local/sbin/post-boot
and next save the changes to flash (flashfs save; flashfs commit; flashfs enable)
If you don't know how to do it, just take a look at macsat's oleg tutorials at http://www.macsat.com