Code: Select all
iptables -t mangle -A PREROUTING -j TTL --ttl-set 65
The closest i am come to something is flowtables.
Can anyone help or point in direction of changing hoplimit to 65 or any number for that reason?
i have changed the TTL on raspbian host machine but this still does not effect clients coming through.
I have also tried putting this iptables setting as it was once translated but it does nothing.
Thank you.
forgive the messy comments
Code: Select all
## this assumes wwan0 is LAN and eth0 is WAN
flush ruleset
## change these
define wan = wwan0
define lan = eth0
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept
# loopback interface
iifname lo accept
## icmpv6 is a critical part of the protocol, we just
## accept everything, you can lookin to making this
## more restrictive but be careful
ip6 nexthdr icmpv6 accept
# we are more restrictive for ipv4 icmp
ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
ip protocol igmp accept
ip protocol icmp meta iifname eth0 accept
## ntp protocol accept from LAN
udp dport ntp iifname eth0 accept
## DHCP accept
iifname eth0 accept
#ip protocol udp udp sport bootpc udp dport bootps log prefix "FIREWALL ACCEPT DHCP: " accept
## DHCPv6 accept from LAN
#iifname eth0 udp sport dhcpv6-client udp dport dhcpv6-server accept
## allow dhcpv6 from router to ISP
#iifname eth0 udp sport dhcpv6-server udp dport dhcpv6-client accept
# SSH (port 22), limited to 10 connections per minute,
# you might prefer to not allow this from WAN for
# OpenWrt, in which case you should also add an
# iifname eth0 filter in the front so we're only
# allowing from LAN
ct state new tcp dport ssh meter ssh-meter4 {ip saddr limit rate 10/minute burst 15 packets} accept
ct state new ip6 nexthdr tcp tcp dport ssh meter ssh-meter6 {ip6 saddr limit rate 10/minute burst 15 packets} accept
## allow access to LUCI from LAN
iifname eth0 tcp dport {http,https} accept
## DNS for main LAN, we limit the rates allowed from each LAN host to reduce chance of denial of service
iifname eth0 udp dport domain meter dommeter4 { ip saddr limit rate 240/minute burst 240 packets} accept
iifname eth0 udp dport domain meter dommeter6 { ip6 saddr limit rate 240/minute burst 240 packets} accept
iifname eth0 tcp dport domain meter dommeter4tcp { ip saddr limit rate 240/minute burst 240 packets} accept
iifname eth0 tcp dport domain meter dommeter6tcp { ip6 saddr limit rate 240/minute burst 240 packets} accept
## allow remote syslog input? you might want this, or remove this
iifname eth0 udp dport 514 accept
counter log prefix "FIREWALL INPUT DROP: " drop
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state established,related accept
iifname lo accept
iifname eth0 oifname wwan0 accept ## allow LAN to forward to WAN
counter log prefix "FIREWALL FAIL FORWARDING: " drop
}
# chain prerouting {
# type route hook prerouting priority 0; policy drop;
##change ttl to 65
# iifname eth0 ip ttl 65
# established/related connections
# ct state established,related accept
# counter log prefix "FIREWALL FAIL FORWARDING: " drop
# }
}
## masquerading for ipv4 output on WAN
table ip masq {
chain masqout {
type nat hook postrouting priority 0; policy accept;
oifname wwan0 masquerade
}
## this empty table is required to make the kernel do the unmasquerading
chain masqin {
type nat hook prerouting priority 0; policy accept;
}
}