i use iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-set 129 can set out packet's ttl to 128 but i search "patches for linux that allow you to fake out these passive os fingerprints." i can't find it also,i find this : http://ippersonality.sourceforge.net/ it said: The Linux IP Personality patch adds to your Linux 2.4 kernel the ability to have different 'personalities' network wise, that is to change some characteristics of its network traffic, depending on different parameters (anything you can specify in an iptables rule: src/dst IP address, TCP or UDP port, etc.) The characteristics that can be changed are: TCP Initial Sequence Number (ISN) TCP initial window size TCP options (their types, values and order in the packet) IP ID numbers answers to some pathological TCP packets answers to some UDP packets They are deeply configurable. This patch relies on the wonderful framework created by Rusty Russel: netfilter. More precisely, the patch adds a new iptables target (in a kernel module) that can be used in the mangle table with a (patched) iptables. This target is very configurable. See the documentation section for more details on how it works. but it's for kernel2.4.19 and iptables 1.2.2 i am use kernel2.4.25 and iptables 1.2.9,may be can't patch my soft? and i??? how to do? >Try this >iptables -t mangle -A OUTPUT -o eth0 -j TTL --ttl-set 128 >iptables -t mangle -A FORWARD -o eth0 -j TTL --ttl-set 128 Jason >We the willing, led by the unknowning, are doing the impossible, for the >ungrateful. We have done so much, for so long, with so little. We are now >qualified to do anything with nothing. On Mon, 8 Nov 2004, Jason Clark wrote: > Very little overhead. It's just tweaking a value in the tcp headers for > packets that pass through. > > Jason > We the willing, led by the unknowning, are doing the impossible, for the > ungrateful. We have done so much, for so long, with so little. We are now > qualified to do anything with nothing. > > On Mon, 8 Nov 2004, Piszcz, Justin Michael wrote: > >> What kind of overhead would that carry? >> >> -----Original Message----- >> From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx >> [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jason Clark >> Sent: Monday, November 08, 2004 6:13 AM >> To: ?ÌìÈÊ >> Cc: netfilter@xxxxxxxxxxxxxxxxxxx >> Subject: Re: how to set iptables to hide NAT router? >> >> Correction, better set that ttl to 128 which is the windows default, not >> 255. >> >> Jason >> We the willing, led by the unknowning, are doing the impossible, for the >> ungrateful. We have done so much, for so long, with so little. We are now >> qualified to do anything with nothing. >> >> On Mon, 8 Nov 2004, Jason Clark wrote: >> >>> I would try a combination of two things, First the iptables ttl target. >>> Reset >>> every outgoing packet to have a ttl of 255. Second, Their are patches for >>> linux that allow you to fake out these passive os fingerprints. I cant >>> recall >>> the name of the patches off hand, but a quick google should turn up the >>> result you need. >>> >>> Jason >>> We the willing, led by the unknowning, are doing the impossible, for the >>> ungrateful. We have done so much, for so long, with so little. We are now >>> qualified to do anything with nothing. >>> >>> On Mon, 8 Nov 2004, ?ÌìÈÊ wrote: >>> >>>> hi,i am use coyote nat to ,but my ISP Detecting NAT Devices using >>>> sFlow,and now ,i can't connect internet, >>>> please look up : >>>> http://www.sflow.org/detectNAT/ >>>> http://www.topsight.net/article.php?story=2003042408350170&mode=print >>>> and >>>> http://www.topsight.net/article.php?story=2003042408350170&mode=print >>>> >>>> >>>> it say: >>>> >>>> Detecting NAT Routers >>>> Thursday, April 24 2003 @ 08:35 AM CDT >>>> Contributed by: opticfiber >>>> A great paper written by Peter Phaal explains the simple method used in >>>> his >>>> companies product, Sflow, to detect multiple host behind a NAT firewall. >>>> The secret, it would seem is simply monitoring of the TTL of out going >>>> packets and comparing them to a host know not to be using a NAT firewall. >>>> >>>> Another method only touched upon by Phaal is passive OS finger printing, >>>> although this method is less reliable, an statistical analasys could >>>> determine if multiple operating systems were using the same network >>>> network >>>> device. If this were the case it would be reasonable to assume that that >>>> host was in fact a NAT device. >>>> >>>> AT&T Labs has published a paper explaining how to count the number of >>>> devices behind a NAT device. The method AT&T uses, relies on the fact >>>> that >>>> most operating systems (excluding Linux and Free BSD) use IP header ID's >>>> as >>>> simple counters. By observing out of sequence header ID's, an analasys >>>> can >>>> calculate how many actual hosts are behind a NAT device. >>>> >>>> Each of these methods can be easily defeated through better sterilization >>>> by the router itself. In the first example, if the TTL for each TCP >>>> packet >>>> was re-written by the router for each packet to the value of 128, the >>>> first >>>> method would no longer function. For the second method, sterilizing IP >>>> header information and stripping unneeded TCP flags would successfully >>>> undermine this scheme. For the last Method, counting hosts behind a >>>> router. >>>> Striping the fragmentation flag for syn packets, and setting the IP ID to >>>> '0', (like Linux and Free BSD both do) would make it impossible to count >>>> hosts behind a NAT router. >>>> >>>> >>>> >>>> how to set iptables rule to do it: >>>> >>>> example???? >>>> >>>> iptables -I FORWARD -j TTL --ttl-set 128 >>>> >>>> >>>> >>>> ?? >>>> >>>> and more? >>>> >>>> >>>> >>>> >>>> >>>> who can help me? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> wsgtrsys >>>> >>>> 2004.11.8 >>>> >>>> >>>> >>> >
