?
Solved

cheking TTL with the help of iptables...

Posted on 2004-03-22
6
Medium Priority
?
335 Views
Last Modified: 2010-03-18
Hi U all

I've got a small problem (may be). I'm responsible for distributing an internet in a small LAN and now one problem occured to me. I want the netconnection, I'm offering to my clients, not to be possible for redistributing.

So, I'm using RED HAT 9.0 and my idea is by iptables to achieve my goal. It should be someting like this:
-----------------------------
iptables -t mangle -A OUTPUT -j TTL --ttl-set 1
-----------------------------
But it's a module what's the problem. I can't use the TTL without patching the kernel with the necessary module.

Is it possible to achieve my goal without recompiling the kernel? If yes (I hope), how?

10x for any help
0
Comment
Question by:gottin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 10653711
I'm not sure that I understand what you mean by "not to be possible for redistributing". Could you elaborate?
0
 

Author Comment

by:gottin
ID: 10653791
well, it looks that it's not perfectly clear what I mean.
suppose the next topologi:           _       __
                                    |s|<--->|PC|
 ---------        -----------       |w|      --
|my server|<---->|client PC 1|<---->|i|<--->|PC|
 ---------        -----------       |t|      --
                                    |c|<--->|PC|
                                    |h|      --
                                     -
So, I want to configure "my server" this way that the PCs behind "client PC 1" do not have a network connectioning by simply setting the "client PC 1" as a firewall.

Tha question is: Is it possible to configure "my server" with the help of iptables (without recompiling the kernel)? If yes, how?

I hope it's clearer this time :)
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10653902
It sounds like you want to prevent a client from being able to set up a NAT'ing gateway and having multiple machines behind it. I don't believe that any sort of iptables rule is going to be able to detect or block this since the very nature of NAT means that all traffic, to an upstream node's view, will appear to be from/to the client IP. You might be able to infer that someone was doing this by traffic analysis, but even that gets iffy unless the volume is obviously much, much greater than could be generated by a single user.
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:gottin
ID: 10659369
well, the client PC are in most cases Windows machines and I think they are not able to use iptables. Well I just wanted to send the packets from my machine with TTL=1, so they can be alive not longer then the first PC, but after reading a bit bore I found that the onlies way to do this by the help of iptables is by patching the kernel and recompiling it.

So, I found my answer.

I want to close this question.

Thank U jlevie for trying to help.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 450 total points
ID: 10660038
I don't think that would help even if you did patch the kernel if someone was running a NAT'ing firewall on one of the windows boxes (ICS, WinGate, etc). The destination, as far as your Linux gateway is concerned, is the outside IP of such a system. The NAT'ing S/W is going to re-write the packet before passing it on to a system inside of the NAT'ing gateway and I think it will reset the TTL then.
0
 

Author Comment

by:gottin
ID: 10732877
10x for helping me!

Stancho

Bulgaria
0

Featured Post

Major Serverless Shift

Comparison of major players like AWS, Microsoft Azure, IBM Bluemix, and Google Cloud Platform

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question