Try this iptables -t mangle -A OUTPUT -o eth0 -j TTL --ttl-set 128 iptables -t mangle -A FORWARD -o eth0 -j TTL --ttl-set 128
Jason
We the willing, led by the unknowning, are doing the impossible, for the ungrateful. We have done so much, for so long, with so little. We are now qualified to do anything with nothing.
On Mon, 8 Nov 2004, Jason Clark wrote:
Very little overhead. It's just tweaking a value in the tcp headers for packets that pass through.
Jason
We the willing, led by the unknowning, are doing the impossible, for the ungrateful. We have done so much, for so long, with so little. We are now qualified to do anything with nothing.
On Mon, 8 Nov 2004, Piszcz, Justin Michael wrote:
What kind of overhead would that carry?
-----Original Message-----
From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jason Clark
Sent: Monday, November 08, 2004 6:13 AM
To: ?ÌìÈÊ
Cc: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: how to set iptables to hide NAT router?
Correction, better set that ttl to 128 which is the windows default, not 255.
Jason We the willing, led by the unknowning, are doing the impossible, for the ungrateful. We have done so much, for so long, with so little. We are now qualified to do anything with nothing.
On Mon, 8 Nov 2004, Jason Clark wrote:
I would try a combination of two things, First the iptables ttl target. Reset
every outgoing packet to have a ttl of 255. Second, Their are patches for
linux that allow you to fake out these passive os fingerprints. I cant recall
the name of the patches off hand, but a quick google should turn up the
result you need.
Jason We the willing, led by the unknowning, are doing the impossible, for the ungrateful. We have done so much, for so long, with so little. We are now qualified to do anything with nothing.
On Mon, 8 Nov 2004, ?ÌìÈÊ wrote:
hi,i am use coyote nat to ,but my ISP Detecting NAT Devices using sFlow,and now ,i can't connect internet, please look up : http://www.sflow.org/detectNAT/ http://www.topsight.net/article.php?story=2003042408350170&mode=print and http://www.topsight.net/article.php?story=2003042408350170&mode=print
it say:
Detecting NAT Routers
Thursday, April 24 2003 @ 08:35 AM CDT
Contributed by: opticfiber
A great paper written by Peter Phaal explains the simple method used in his
companies product, Sflow, to detect multiple host behind a NAT firewall.
The secret, it would seem is simply monitoring of the TTL of out going
packets and comparing them to a host know not to be using a NAT firewall.
Another method only touched upon by Phaal is passive OS finger printing,
although this method is less reliable, an statistical analasys could
determine if multiple operating systems were using the same network network
device. If this were the case it would be reasonable to assume that that
host was in fact a NAT device.
AT&T Labs has published a paper explaining how to count the number of
devices behind a NAT device. The method AT&T uses, relies on the fact that
most operating systems (excluding Linux and Free BSD) use IP header ID's as
simple counters. By observing out of sequence header ID's, an analasys can
calculate how many actual hosts are behind a NAT device.
Each of these methods can be easily defeated through better sterilization
by the router itself. In the first example, if the TTL for each TCP packet
was re-written by the router for each packet to the value of 128, the first
method would no longer function. For the second method, sterilizing IP
header information and stripping unneeded TCP flags would successfully
undermine this scheme. For the last Method, counting hosts behind a router.
Striping the fragmentation flag for syn packets, and setting the IP ID to
'0', (like Linux and Free BSD both do) would make it impossible to count
hosts behind a NAT router.
how to set iptables rule to do it:
example????
iptables -I FORWARD -j TTL --ttl-set 128
??
and more?
who can help me?
wsgtrsys
2004.11.8
