LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

April 2006

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS April 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: SL 4.2: enabling ip forwarding?
From:	Jon Peatfield <[log in to unmask]>
Reply To:	Jon Peatfield <[log in to unmask]>
Date:	Tue, 11 Apr 2006 03:40:27 +0100
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (58 lines)

On Thu, 6 Apr 2006, Angel Tsankov wrote:

>> > > > > >  I downloaded the kernel sources and I'm going to patch and 
>> > > > > >  recompile them to fix the bug with "iptables -t mangle -j TTL"
>> > > > > >  producing
>> > > > > >  "No chain/target/match by that name".
>
>>  Try modprobe ipt_ttl
>
> This seems OK:
> [root@VM2 sysconfig]# modprobe ipt_ttl

Note that there there are 2 ttl netfilter extensions providing unrelated 
pieces of functionality (well sort of).

http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html#ss3.20

   This patch by Harald Welte <[log in to unmask]> adds a new match that
   allows you to match a packet based on its TTL.

   For example if you want to log any packet that have a TTL less than 5,
   you can do as follows :

   # iptables -A INPUT -m ttl --ttl-lt 5 -j LOG
...

http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-4.html#ss4.8

   This patch by Harald Welte <[log in to unmask]> adds a new target that
   enables the user to set the TTL value of an IP packet or to
   increment/decrement it by a given value.

   For example, if you want to set the TTL of all outgoing connections to
   126, you can do as follows :

   # iptables -t mangle -A OUTPUT -j TTL --ttl-set 126
...

The ttl match code is pretty standard (ipt_ttl is there in SL kernels 
etc), but the ttl target one is (apparently) still not in the standard
kernels (or were not a year ago).

Therefore if you need ipt_TTL you *will* need to apply a kernel patch, 
then turn on the CONFIG_IP_NF_TARGET_TTL option (as compared to 
CONFIG_IP_NF_MATCH_TTL), and re-compile, install, reboot, and modprobe 
ipt_TTL etc etc.

Confusingly the iptables *command* does know about '-j TTL' already which 
is why it can give help messages etc, but it won't work without the 
ipt_TTL module building (the maintainers of that can just add new stuff, 
while getting things into the kernel takes much longer...)

I do wonder under what circumstances changing the TTL is a *good* thing to 
do.  Perhaps there is another way to avoid needing to do this.  IMHO using 
the iptables mangle table is best avoided in most cases :-)

  -- Jon

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV