[clug] How to prevent port forwarding

Steve Walsh steve at nerdvana.org.au
Sat Apr 22 13:22:34 GMT 2006


You can use a rule such as this to reject TTL values that don't match a
certain value from a certain IP;

iptables -A INPUT -s <ip address> -m ttl --ttl-lt <certain value> -j REJECT

but as Martijn has pointed out while I'm writing this, TTL is hardly the
best way to check for mutiple users on one connection.

you can reset the TTL with this iptables rule;

iptables -t mangle -A PREROUTING -j TTL --ttl-set <new TTL value>

Note that these examples may need some fancy kernel patches to work.

-----Original Message-----
From: Christopher Zhang
Sent: Saturday, 22 April 2006 11:09 PM
To: linux at lists.samba.org
Subject: [clug] How to prevent port forwarding


I am interested to find out if it is possible, if so, how, that some
ISPs prevent 1 registered Internet user to distribute their Internet
connection by running their computer as a gateway for other users to
route through. The closest thing I can think of is TTL, since if
other hosts are routed through the legitimate host, then their TTL
will be at least be 1 less than if it were coming from the legitimate
host, without any artificial changes. Is this a plausible way for
ISPs ? Can anyone show me some iptables commands that the ISPs would
do? and also how can I change my TTLs and so on.


linux mailing list
linux at lists.samba.org

More information about the linux mailing list