nftables mangle to set / change ttl hoplimit on host firewal

Kernels & Hardware, configuring network, installing services

nftables mangle to set / change ttl hoplimit on host firewal

Postby blee » 2020-03-29 03:51

I have been trying and researching how to get the same output for
Code: Select all
iptables -t mangle -A PREROUTING -j TTL --ttl-set 65

for nftables.
The closest i am come to something is flowtables.
Can anyone help or point in direction of changing hoplimit to 65 or any number for that reason?
i have changed the TTL on raspbian host machine but this still does not effect clients coming through.
I have also tried putting this iptables setting as it was once translated but it does nothing.

Thank you.
forgive the messy comments
Code: Select all

## this assumes wwan0 is LAN and eth0 is WAN

flush ruleset

## change these

define wan = wwan0
define lan = eth0

table inet filter {
   chain input {
      type filter hook input priority 0; policy drop;
      
      # established/related connections
      ct state established,related accept

      # loopback interface
      iifname lo accept

      ## icmpv6 is a critical part of the protocol, we just
      ## accept everything, you can lookin to making this
      ## more restrictive but be careful
      ip6 nexthdr icmpv6 accept

      # we are more restrictive for ipv4 icmp
      ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept

      ip protocol igmp accept

      ip protocol icmp meta iifname eth0 accept

      ## ntp protocol accept from LAN
      udp dport ntp iifname eth0 accept

      ## DHCP accept
      iifname eth0 accept
      #ip protocol udp udp sport bootpc udp dport bootps log prefix "FIREWALL ACCEPT DHCP: " accept

      ## DHCPv6 accept from LAN
      #iifname eth0 udp sport dhcpv6-client udp dport dhcpv6-server accept

      ## allow dhcpv6 from router to ISP
      #iifname eth0 udp sport dhcpv6-server udp dport dhcpv6-client accept

      # SSH (port 22), limited to 10 connections per minute,
      # you might prefer to not allow this from WAN for
      # OpenWrt, in which case you should also add an
      # iifname eth0 filter in the front so we're only
      # allowing from LAN
      
      ct state new tcp dport ssh meter ssh-meter4 {ip saddr limit rate 10/minute burst 15 packets} accept
      ct state new ip6 nexthdr tcp tcp dport ssh meter ssh-meter6 {ip6 saddr limit rate 10/minute burst 15 packets} accept

      ## allow access to LUCI from LAN
      iifname eth0 tcp dport {http,https} accept

      ## DNS for main LAN, we limit the rates allowed from each LAN host to reduce chance of denial of service
      iifname eth0 udp dport domain meter dommeter4 { ip saddr limit rate 240/minute burst 240 packets} accept
      iifname eth0 udp dport domain meter dommeter6 { ip6 saddr limit rate 240/minute burst 240 packets} accept

      iifname eth0 tcp dport domain meter dommeter4tcp { ip saddr limit rate 240/minute burst 240 packets} accept
      iifname eth0 tcp dport domain meter dommeter6tcp { ip6 saddr limit rate 240/minute burst 240 packets} accept

      ## allow remote syslog input? you might want this, or remove this
      
      iifname eth0 udp dport 514 accept

      counter log prefix "FIREWALL INPUT DROP: " drop
   }

   chain forward {
       type filter hook forward priority 0; policy drop;

       ct state established,related accept

       iifname lo accept
       iifname eth0 oifname wwan0 accept ## allow LAN to forward to WAN

       counter log prefix "FIREWALL FAIL FORWARDING: " drop
   }
#   chain prerouting {
#           type route hook prerouting priority 0; policy drop;

           ##change ttl to 65
#           iifname eth0 ip ttl 65

            # established/related connections
#            ct state established,related accept

#            counter log prefix "FIREWALL FAIL FORWARDING: " drop
#        }

}

## masquerading for ipv4 output on WAN
table ip masq {
   chain masqout {
       type nat hook postrouting priority 0; policy accept;
       oifname wwan0 masquerade
      
   }

   ## this empty table is required to make the kernel do the unmasquerading
   chain masqin {
       type nat hook prerouting priority 0; policy accept;

   }
   
}
blee
 
Posts: 3
Joined: 2020-03-29 03:40

Re: nftables mangle to set / change ttl hoplimit on host fir

Postby blee » 2020-03-29 18:01

So this portion ended up not being needed:
Code: Select all
chain prerouting {
           type route hook prerouting priority 0; policy drop;

           ##change ttl to 65
           iifname eth0 ip ttl set 65   
           }
 


For some estranged reason if I put the 'iptables' command in to att mangle, it adds it and starts working. If I restart nftables it is removed.

when I add 'iptables' entry then run
Code: Select all
nft list ruleset

I get this table added to my output:
Code: Select all
table ip mangle {
   chain PREROUTING {
      type filter hook prerouting priority -150; policy accept;
      counter packets 93541 bytes 74006031 # TTL set to 65
   }

   chain INPUT {
      type filter hook input priority -150; policy accept;
   }

   chain FORWARD {
      type filter hook forward priority -150; policy accept;
   }

   chain OUTPUT {
      type route hook output priority -150; policy accept;
   }

   chain POSTROUTING {
      type filter hook postrouting priority -150; policy accept;
   }
}

After I restart nftables, this table is removed.
If I try to copy and paste it into the /etc/nftables.conf file it does not work.

It does not show when running iptables -L
Where is this entry saved??

Also, the 'packets' and 'bytes' values keep increasing as traffic is passed.
blee
 
Posts: 3
Joined: 2020-03-29 03:40


Return to System configuration

Who is online

Users browsing this forum: No registered users and 18 guests

fashionable