understanding custom iptables rules

Topics related to OpenWRT, LEDE, GoldenOrb, Linux and other firmware
Forum rules
Use the SEARCH function for related topics PRIOR to posting a new topic on the same subject.
Post Reply
slacker
Posts: 10
Joined: Thu Apr 16, 2020 11:42 am
Has thanked: 3 times
Been thanked: 5 times

understanding custom iptables rules

Post by slacker »

Another newb question: it's often recommended that TTL rules be specifically applied to ipv6 in addition to ipv4, but I don't fully understand the oft-quoted firewall rules even after a brief read of the iptables man page on my linux box. In a vanilla GoldenOrb setup where the Custom TTL is enable and set to, say, 65, the corresponding firewall configuration (which shows up in the custom FW tab) is:

#startTTL
iptables -t mangle -I POSTROUTING -o wwan0 -j TTL --ttl-set 65
iptables -t mangle -I PREROUTING -i wwan0 -j TTL --ttl-set 65
#endTTL

which means that both inbound and outbound packets are having their TTL re-stamped. But this only applies (I think) to packets destined/returning from ipv4 addresses. When ipv6 packets are an issue, I usually the following alternative rule suggested:

#start 007 TTL
ip6tables -t mangle -A POSTROUTING -o wwan0 -j HL --hl-set 65
iptables -t mangle -I PREROUTING -i wwan0 -j TTL --ttl-set 65
#end 007 TTL

which would seem to imply that outbound ipv6 packets have the proper TTL stamped, as do inbound ipv4 packets. But how are inbound ipv6 and outbound ipv4 packets handled under the above rule? A casual read would seem to suggest they pass through unaltered. If the first formulation is correct for ipv4 packets, why aren't we typically re-stamping the TTL of both inbound and outbound packets for both ipv4 and ipv6, something like:

#start naive newb fw
iptables -t mangle -I POSTROUTING -o wwan0 -j TTL --ttl-set 65
iptables -t mangle -I PREROUTING -i wwan0 -j TTL --ttl-set 65
ip6tables -t mangle -A POSTROUTING -o wwan0 -j HL --hl-set 65
ip6tables -t mangle -I PREROUTING -i wwan0 -j HL --hl-set 65
#end naive newb fw

?

I assume there is some reason, perhaps the latter is redundant in some way, but would appreciate any additional insight on the logic behind the typical ipv6 rule formulation.
User avatar
terryjett
Posts: 404
Joined: Tue Sep 24, 2019 10:42 pm
Location: Far Side
Has thanked: 104 times
Been thanked: 91 times
Contact:

Re: understanding custom iptables rules

Post by terryjett »

Very valid point and after reading your reasoning, got to learn more about this. Hopefully a router guru will see this and provide some insight. Subscribed and waiting...
slacker
Posts: 10
Joined: Thu Apr 16, 2020 11:42 am
Has thanked: 3 times
Been thanked: 5 times

Re: understanding custom iptables rules

Post by slacker »

I'll report back to say that I experienced throttling regardless of ttl using the 007 rule, but had success with the potentially overkill four rule / newb table mods. This is in QMI mode, using a phone data only (no hotspot) unlimited plan, so those and other variables may alter which types of rules (and TTL vals) are most effective. Still a bit voodoo to me, but if it aint broke don't fix it: I'm going to leave the spirits that dwell in my router be for a while, it seemed like it took a long time (and some prayers) just to get a solid connection.
User avatar
terryjett
Posts: 404
Joined: Tue Sep 24, 2019 10:42 pm
Location: Far Side
Has thanked: 104 times
Been thanked: 91 times
Contact:

Re: understanding custom iptables rules

Post by terryjett »

"had success with the potentially overkill four rule / newb table mods. This is in QMI mode, using a phone only"

Interesting find. How are your using your phone? Attached to router via USB, or?
slacker
Posts: 10
Joined: Thu Apr 16, 2020 11:42 am
Has thanked: 3 times
Been thanked: 5 times

Re: understanding custom iptables rules

Post by slacker »

By phone only, I just meant the plan is a phone plan that does not include any hotspot data. Hence the caveats: ISPs may have different rules for how data is clocked on different types of plans. I'm using the plan via a sim in a router.
User avatar
terryjett
Posts: 404
Joined: Tue Sep 24, 2019 10:42 pm
Location: Far Side
Has thanked: 104 times
Been thanked: 91 times
Contact:

Re: understanding custom iptables rules

Post by terryjett »

slacker wrote: Tue May 05, 2020 11:24 am By phone only, I just meant the plan is a phone plan that does not include any hotspot data. Hence the caveats: ISPs may have different rules for how data is clocked on different types of plans. I'm using the plan via a sim in a router.
Got ya. after drinking second cup of coffee I understood what you were saying :) Was not quite awake...
Post Reply

Return to “Firmware”