iptables script

[zubbs1]

I know just enough to accidentally do very terrible things to my system, but I follow directions very well.

I have an Asus RT-AC68U router flashed to merlin firmware version RT-AC68U_380.66_4
I want to insert an iptables script to automatically set the TTL value to 65 for all connected devices.

In Ubuntu, I know the command to set the TTL to 65 for my system, which I have successfully done.

iptables -t mangle -A POSTROUTING -j TTL --ttl-set 65

If the same holds true for the script I need to insert to the router, then I believe it would look something like this:

#!/bin/sh

iptables -t mangle -A POSTROUTING -j TTL --ttl-set 65

I have read over the wiki for merlin on the github:
https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

What I cannot discern is how to actually interact with the jss partition in order to place a script there? That github page states to ensure your script is executable with a chmod command:

chmod a+rx /jffs/scripts/*

Where do I insert this command?

So far I have formatted the JSS partition and rebooted the router.

I need to know if my script above is sufficient to achieve what I want, the particulars on how to get it where it needs to go, and how to ensure its executable.

I really appreciate any help on this.

Cheers.

 

[martinr]

I know just enough to accidentally do very terrible things to my system, but I follow directions very well.
..

.


Have a look at Martineau's excellent guide for starters. Follow his link at:

https://www.snbforums.com/threads/h...cessing-the-internet.29693/page-3#post-329598

 

[zubbs1]

.


Have a look at Martineau's excellent guide for starters. Follow his link at:

https://www.snbforums.com/threads/h...cessing-the-internet.29693/page-3#post-329598

Thank you for this. I have made some progress. I am now able to use Winscp to login to the /jffs/scripts directory and run my script. However, my script is faulty:

#!/bin/sh

iptables -t mangle -A POSTROUTING -j TTL --ttl-set 65

Which gives the following error:

iptables: No chain/target/match by that name.

I am trying to troubleshoot, poorly I'm sure, and wanted to see what chains there were, so added a chin list command:

#!/bin/sh

iptables -S
iptables -t mangle -A POSTROUTING -j TTL --ttl-set 65

Here is the output in the terminal for

./SetTTL65.sh init

/jffs/scripts$ ./SetTTL65.sh init
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N FUPNP
-N NSFW
-N PControls
-N SECURITY
-N SECURITY_PROTECT
-N SSHBFP
-N logaccept
-N logdrop
-A INPUT -i usb0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p tcp -m multiport --dports 22 -j SECURITY_PROTECT
-A INPUT -p tcp -m multiport --dports 23 -j SECURITY_PROTECT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i usb0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHBFP
-A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o usb0 -j DROP
-A FORWARD -i usb0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A SSHBFP -m recent --set --name SSH --rsource
-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP
-A SSHBFP -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
iptables: No chain/target/match by that name.

I'm really out of my element here. Do I have to attach my command somehow to one of the defined chains (INPUT, FORWARD, SECURITY, etc.)?

Cheers.

 

[john9527]

The TTL chain isn't included by default in the code....you have to do at the start of your script (one is ipv4, the other ipv6, I forget which)

insmod xt_HL
insmod xt_hl

 

[zubbs1]

The TTL chain isn't included by default in the code....you have to do at the start of your script (one is ipv4, the other ipv6, I forget which)

insmod xt_HL
insmod xt_hl

I included both in my new script:

#!/bin/sh
#Set all outgoing TTL values to 65
insmod xt_HL
insmod xt_hl
iptables -t mangle -A POSTROUTING -j TTL --ttl-set 65

I am now getting this error:

/jffs/scripts$ ./SetTTL65.sh init
insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/xt_HL.ko': File exists
insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/xt_hl.ko': File exists

Before I read your response, I found an old post and tried the advice:
https://www.snbforums.com/threads/ttl-modify-using-iptables-t-mangle.21633/#post-156721

admin@ASUS:/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter# modprobe  xt_HL
admin@ASUS:/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter# cat /proc/net/ip_tables_targets
NOTRACK
NFLOG
CLASSIFY
CONNMARK
MARK
TTL
TRIGGER
REJECT
MASQUERADE
LOG
DNAT
SNAT
ERROR
TCPMSS
TOS
DSCP

I then rebooted the router and still got the same error about the no chain/target/match etc. (Just in case this somehow altered what your commands did since I did this before the insmod commands were tried).

 

[Adamm]

I am now getting this error:

That just means its already loaded (as it was loaded the first time you ran the command), to silence this error in future change the lines to;

modprobe xt_HL
modprobe xt_hl

I also prefer using modprobe, its "smarter" in the sense it can load dependencies and I found cases with my own iptables scripts that the insmod command sometimes fails if called too early during boot.

 

[zubbs1]

That just means its already loaded (as it was loaded the first time you ran the command), to silence this error in future change the lines to;

modprobe xt_HL
modprobe xt_hl

I also prefer using modprobe, its "smarter" in the sense it can load dependencies and I found cases with my own iptables scripts that the insmod command sometimes fails if called too early during boot.

That did it! I now have everything working as I wanted.

Thanks to everyone for their help.

Cheers.

 

[zubbs1]

That did it! I now have everything working as I wanted.

Thanks to everyone for their help.

Cheers.

After seeming to work, I noticed a problem. My system is a dual Ubuntu/Windows 10 box. In Ubuntu, it does fine, the ping spits out a ttl=65. However, when booted into Windows 10, the ttl is locked at 128 (the default value I believe). I lost power last night, and was worried it somehow corrupted my script or something, but when I booted back into Ubuntu to double check, it works fine again.

Anyone have any idea why it isn't working on the Windows 10 side?