Re: NAT and TTL

Wed, 20 Mar 2002 06:48:21 -0800 

2002-03-11 16:25:07+0100, Gwenael Letellier <[EMAIL PROTECTED]> ->
> Hi,
> 
> I have a question about how Netfilter DNAT handles TTL. From a previous
> experience, I believed NetFilter would not decrement TTLs when routing
> DNATed packets. 
> 
> That would mean that, on the basis of TTLs, a NATed server would seem to
> stand at the same level than its public IP address (e.g., servers in DMZs
> would appear to be just before the firewall).
> 
> However, in the following hping traceroute where the firewall listens on SSH
> and there is a NATed web server, TTLs are decremented. I know it is possible
> to modify TTLs with the TTL target. Is there another way to change this
> behaviour ?
> 
> Thank you,
> G. Letellier
> 
> [root@gw /root]# hping2 -t 1 -S -T -p 22 -n 175.78.55.12
> 1->TTL 0 during transit from 61.5.6.2
> 2->TTL 0 during transit from 61.5.6.5
> 3->TTL 0 during transit from 61.5.6.50
> 4->TTL 0 during transit from 174.78.129.12
> 5->TTL 0 during transit from 113.51.12.239
> 6->TTL 0 during transit from 175.78.75.21
> 7->TTL 0 during transit from 175.78.6.78
> 44 bytes from 175.78.55.12: flags=SA seq=7 ttl=56 id=0 win=5840 rtt=75.0 ms
> 44 bytes from 175.78.55.12: flags=SA seq=8 ttl=56 id=0 win=5840 rtt=73.0 ms
> 
> --- 175.78.55.12 hping statistic ---
> 9 packets tramitted, 2 packets received, 78% packet loss
> round-trip min/avg/max = 73.0/74.0/75.0 ms
> 
> [root@gw /root]# hping2 -t 1 -S -T -p 80 -n 175.78.55.17
> 1->TTL 0 during transit from 61.5.6.2
> 2->TTL 0 during transit from 61.5.6.5
> 3->TTL 0 during transit from 61.5.6.50
> 4->TTL 0 during transit from 174.78.129.12
> 5->TTL 0 during transit from 113.51.12.239
> 6->TTL 0 during transit from 175.78.75.21
> 7->TTL 0 during transit from 175.78.6.78
> 9: 44 bytes from 175.78.55.17: flags=SA seq=11 ttl=119 id=34220 win=8576
> rtt=71.1 ms

No, everytime time a packet passes ANY form of active equipment the TTL
shall be decreased. Otherwise you can get loops. You can by accident arrange
two NATs pointing the packets on each other and you have your loop. NAT is a
gateway and shall decrease the TTL.

Use the TTL modifier if u want to modify it as you say. There is nothing
wrong with the way NAT handles TTL today. 

-- 
/Gozem A.K.A. Joakim Axelsson

Reply via email to