This patch requires the TTL patch from the patch-o-matic
tree available in the base directory from https://www.netfilter.org/.
The TTL target is used to modify the Time
To Live field in the IP header. One useful application of this is
to change all Time To Live values to the same value on
all outgoing packets. One reason for doing this is if you have a bully
ISP which don't allow you to have more than one machine
connected to the same Internet connection, and who actively pursues this.
Setting all TTL values to the same value, will effectively
make it a little bit harder for them to notice that you are doing this. We
may then reset the TTL value for all outgoing packets to a
standardized value, such as 64 as specified in the Linux kernel.
For more information on how to set the default value used in
Linux, read the ip-sysctl.txt, which you may find within the Other resources and links appendix.
The TTL target is only valid within the
mangle table, and nowhere else. It takes 3 options as
of writing this, all of them described below in the table.
The --ttl-set option tells the
TTL target which TTL value to set
on the packet in question. A good value would be around 64 somewhere. It's not
too long, and it is not too short. Do not set this value too high, since it
may
affect your network and it is a bit immoral to set this value to high, since
the
packet may start bouncing back and forth between two mis-configured routers,
and
the higher the TTL, the more bandwidth will be eaten
unnecessarily in such a case. This target could be used to limit how far
away our clients are. A good case of this could be DNS servers, where we
don't want the clients to be too far away.
The --ttl-dec option tells the
TTL target to decrement the Time To Live value by the
amount specified after the --ttl-dec option. In other
words, if the TTL for an incoming packet was 53 and we had set
--ttl-dec 3, the packet would leave our host with a
TTL value of 49. The reason for this is that the
networking code will automatically decrement the TTL
value by 1, hence the packet will be decremented by 4 steps,
from 53 to 49. This could for example be used when we want to limit how
far away the people using our services are. For example, users should
always use a close-by DNS, and hence we could match all packets leaving
our DNS server and then decrease it by several steps. Of course, the
--set-ttl may be a better idea for this usage.
The --ttl-inc option tells the
TTL target to increment the Time To Live
value with the value specified to the
--ttl-inc
option. This means that we should raise the TTL value
with the value specified in the --ttl-inc option, and if we
specified --ttl-inc 4, a packet entering with a
TTL of 53 would leave the host with
TTL 56. Note that the same thing goes here, as for
the previous example of the --ttl-dec option, where the
network code will automatically decrement the TTL
value by 1, which it always does. This may be used to make our
firewall a bit more stealthy to trace-routes among other things. By setting
the TTL one value higher for all incoming packets, we
effectively make the firewall hidden from trace-routes. Trace-routes are a
loved and hated thing, since they provide excellent information on problems
with connections and where it happens, but at the same time, it gives the
hacker/cracker some good information about your upstreams if they have
targeted you. For a good example on how this could be used, see the Ttl-inc.txt script.
