Книга: Iptables Tutorial 1.2.2
Ttl match
Ttl match
The TTL match is used to match packets based on their TTL (Time To Live) field residing in the IP headers. The TTL field contains 8 bits of data and is decremented once every time it is processed by an intermediate host between the client and recipient host. If the TTL reaches 0, an ICMP type 11 code 0 (TTL equals 0 during transit) or code 1 (TTL equals 0 during reassembly) is transmitted to the party sending the packet and informing it of the problem. This match is only used to match packets based on their TTL, and not to change anything. The latter, incidentally, applies to all kinds of matches. To load this match, you need to add an -m ttl to the rule.
Table 10-31. Ttl match options
| Match | --ttl-eq |
| Kernel | 2.3, 2.4, 2.5 and 2.6 |
| Example | iptables -A OUTPUT -m ttl --ttl-eq 60 |
| Explanation | This match option is used to specify the TTL value to match exactly. It takes a numeric value and matches this value within the packet. There is no inversion and there are no other specifics to match. It could, for example, be used for debugging your local network - e.g. LAN hosts that seem to have problems connecting to hosts on the Internet - or to find possible ingress by Trojans etc. The usage is relatively limited, however; its usefulness really depends on your imagination. One example would be to find hosts with bad default TTL values (could be due to a badly implemented TCP/IP stack, or simply to misconfiguration). |
| Match | --ttl-gt |
| Kernel | 2.3, 2.4, 2.5 and 2.6 |
| Example | iptables -A OUTPUT -m ttl --ttl-gt 64 |
| Explanation | This match option is used to match any TTL greater than the specified value. The value can be between 0 and 255 and the match can not be inverted. It could, for example, be used for matching any TTL greater than a specific value and then force them to a standardized value. This could be used to overcome some simple forms of spying by ISP's to find out if you are running multiple machines behind a firewall, against their policies. |
| Match | --ttl-lt |
| Kernel | 2.3, 2.4, 2.5 and 2.6 |
| Example | iptables -A OUTPUT -m ttl --ttl-lt 64 |
| Explanation | The --ttl-lt match is used to match any TTL smaller than the specified value. It is pretty much the same as the --ttl-gt match, but as already stated; it matches smaller TTL's. It could also be used in the same way as the --ttl-gt match, or to simply homogenize the packets leaving your network in general. |
Оглавление книги
Оглавление статьи/книги
- Addrtype match
- AH/ESP match
- Comment match
- Connmark match
- Conntrack match
- Dscp match
- Ecn match
- Hashlimit match
- Helper match
- IP range match
- Length match
- Limit match
- Mac match
- Mark match
- Multiport match
- Owner match
- Packet type match
- Realm match
- Recent match
- State match
- Tcpmss match
- Tos match
- Ttl match
- Unclean match