Page 1 of 1

understanding custom iptables rules

Posted: Fri Apr 24, 2020 2:32 pm
by slacker
Another newb question: it's often recommended that TTL rules be specifically applied to ipv6 in addition to ipv4, but I don't fully understand the oft-quoted firewall rules even after a brief read of the iptables man page on my linux box. In a vanilla GoldenOrb setup where the Custom TTL is enable and set to, say, 65, the corresponding firewall configuration (which shows up in the custom FW tab) is:

#startTTL
iptables -t mangle -I POSTROUTING -o wwan0 -j TTL --ttl-set 65
iptables -t mangle -I PREROUTING -i wwan0 -j TTL --ttl-set 65
#endTTL

which means that both inbound and outbound packets are having their TTL re-stamped. But this only applies (I think) to packets destined/returning from ipv4 addresses. When ipv6 packets are an issue, I usually the following alternative rule suggested:

#start 007 TTL
ip6tables -t mangle -A POSTROUTING -o wwan0 -j HL --hl-set 65
iptables -t mangle -I PREROUTING -i wwan0 -j TTL --ttl-set 65
#end 007 TTL

which would seem to imply that outbound ipv6 packets have the proper TTL stamped, as do inbound ipv4 packets. But how are inbound ipv6 and outbound ipv4 packets handled under the above rule? A casual read would seem to suggest they pass through unaltered. If the first formulation is correct for ipv4 packets, why aren't we typically re-stamping the TTL of both inbound and outbound packets for both ipv4 and ipv6, something like:

#start naive newb fw
iptables -t mangle -I POSTROUTING -o wwan0 -j TTL --ttl-set 65
iptables -t mangle -I PREROUTING -i wwan0 -j TTL --ttl-set 65
ip6tables -t mangle -A POSTROUTING -o wwan0 -j HL --hl-set 65
ip6tables -t mangle -I PREROUTING -i wwan0 -j HL --hl-set 65
#end naive newb fw

?

I assume there is some reason, perhaps the latter is redundant in some way, but would appreciate any additional insight on the logic behind the typical ipv6 rule formulation.

Re: understanding custom iptables rules

Posted: Sat Apr 25, 2020 12:47 am
by terryjett
Very valid point and after reading your reasoning, got to learn more about this. Hopefully a router guru will see this and provide some insight. Subscribed and waiting...

Re: understanding custom iptables rules

Posted: Mon May 04, 2020 9:37 am
by slacker
I'll report back to say that I experienced throttling regardless of ttl using the 007 rule, but had success with the potentially overkill four rule / newb table mods. This is in QMI mode, using a phone data only (no hotspot) unlimited plan, so those and other variables may alter which types of rules (and TTL vals) are most effective. Still a bit voodoo to me, but if it aint broke don't fix it: I'm going to leave the spirits that dwell in my router be for a while, it seemed like it took a long time (and some prayers) just to get a solid connection.

Re: understanding custom iptables rules

Posted: Tue May 05, 2020 6:02 am
by terryjett
"had success with the potentially overkill four rule / newb table mods. This is in QMI mode, using a phone only"

Interesting find. How are your using your phone? Attached to router via USB, or?

Re: understanding custom iptables rules

Posted: Tue May 05, 2020 11:24 am
by slacker
By phone only, I just meant the plan is a phone plan that does not include any hotspot data. Hence the caveats: ISPs may have different rules for how data is clocked on different types of plans. I'm using the plan via a sim in a router.

Re: understanding custom iptables rules

Posted: Tue May 05, 2020 11:31 am
by terryjett
slacker wrote: Tue May 05, 2020 11:24 am By phone only, I just meant the plan is a phone plan that does not include any hotspot data. Hence the caveats: ISPs may have different rules for how data is clocked on different types of plans. I'm using the plan via a sim in a router.
Got ya. after drinking second cup of coffee I understood what you were saying :) Was not quite awake...