Stop NAT?

dlots · February 16, 2016, 12:44:06 PM

A friend of mine is in an apartment complex that kills any traffic behind a NAT: So if you plug in a router the router can ping out, if you put a device behind the router though a NAT all that traffic got dropped. I was wondering how you would do this. The only thing I could think of was looking for an even numbered TTL with an ACL (so you start with 255, and it gets knocked down to 254 at the NAT router, and the next router would see that 254 TTL hit an ACL and drop it) but I didn't think this sounded like a good plan since different OSs can use different TTLs. I am hoping someone here has had experience with this and can shed some light on the subject.

deanwebb · February 16, 2016, 01:10:26 PM

Did a little checking and it's the TTL value. Saw how one ISP accepts only ttls of 32 or 64. So you want to reset the TTL on your packets at the router. In iptables, it looks like this:

iptables -t mangle -A POSTROUTING -o ppp0 -j TTL --ttl-set 64

Or, at the host, have the TTLs all start at 33 or 65.

Blocking NAT by dropping packets with the "wrong" TTL is a kludge, but effective enough for non-tech types.

dlots · February 16, 2016, 01:19:49 PM

Thank you :-)

wintermute000 · February 16, 2016, 04:02:50 PM

let us know if this works, I'm interested

Dieselboy · February 26, 2016, 12:02:36 AM

So if I came in and plugged in my ASA5505, I would be all good since ASA's don't touch the TTL? Sounds like a caveat to this solution?

Reggle · February 26, 2016, 12:35:48 AM

Any layer 3 device touches TTL. So that will include the ASA in default routed mode.

dlots · February 26, 2016, 09:28:40 AM

Quote from: Dieselboy on February 26, 2016, 12:02:36 AM
So if I came in and plugged in my ASA5505, I would be all good since ASA's don't touch the TTL? Sounds like a caveat to this solution?

Oh that might just be very cool, does it do that will all traffic?
http://www.packetu.com/2009/10/09/traceroute-through-the-asa/

Dieselboy · February 26, 2016, 09:34:59 PM

Quote from: dlots on February 26, 2016, 09:28:40 AM
Quote from: Dieselboy on February 26, 2016, 12:02:36 AM
So if I came in and plugged in my ASA5505, I would be all good since ASA's don't touch the TTL? Sounds like a caveat to this solution?

Oh that might just be very cool, does it do that will all traffic?
http://www.packetu.com/2009/10/09/traceroute-through-the-asa/

I understood it to be a security feature? So people trying to discover stuff can't see that a device is actually there. I could be wrong though. I assumed it was with all traffic, bit pointless it only doing it to ICMP traffic. If you can't find the answer to that I could set up a quick capture for you next week when im back at work.

Different note,
Could you use a route map on a router to put the TTL back to what it was before, ie copied from the inbound packet? Just wondering if that was possible

wintermute000 · February 27, 2016, 03:31:21 AM

Quote from: Reggle on February 26, 2016, 12:35:48 AM
Any layer 3 device touches TTL. So that will include the ASA in default routed mode.

Sorry mate... not true for ASAs. Yes, they are special.... do not decrement TTL as standard.

https://www.google.com.au/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact=8&ved=0ahUKEwjtgLz-0JfLAhUEG5QKHeUcCVIQFgg-MAQ&url=http%3A%2F%2Fpcktu.com%2FMbJsSD&usg=AFQjCNGLRHw77mEolNNlJKGbqCahqJZjCA&sig2=To1Iihilg9LtedLhwJt_2Q

Reggle · February 29, 2016, 05:14:16 AM

... That's not really RFC compliant behaviour.

deanwebb · February 29, 2016, 08:43:53 AM

Quote from: Reggle on February 29, 2016, 05:14:16 AM
... That's not really RFC compliant behaviour.

Drinking game idea: every time someone says Cisco has something that isn't RFC-compliant, take a shot. You'll be sozzled in no time!

Dieselboy · March 01, 2016, 12:59:27 AM

Cisco pushing the boundaries with their "we'll do it anyway" attitude