1 Feb
2016
1 Feb
'16
9:11 p.m.
All,
I've noticed that if someone performs a traceroute to a 44net address
routed via an IPIP tunnel on OpenWRT versions 14 or 15 (tested) results
in the router giving the Public, Commercial IP address of the device
instead of a 44net IP on tunl0, or any assigned forwarded interface.
Without intricate detail, this is by design of the Operating System, as
the kernel re-packets an ICMP TTL Exceeded, and seems not to connect
that new pack as RELATED to the Received Packet in which the TTL had
Exceeded. This is fine when all local IPs are Private IPs, or should be
forwarded via the Kernel's Gateway; but as they are not, and the only
gateway the kernel knows is the physical WAN. The ICMP TTL Exceeded
Packet is given the Kernel's source address (with Gateway), and sent
hence - a leaked TTL Exceeded packet.
Reason: the least computationally difficult method to protect our
gateways from rogue packets is to not publicize/announce our Public
WAN-facing IP address.
In order to prevent this, a RAW Packet Filter rule for all packets
received via tunl0 < 2 can be created, preventing processing of TTL
exceeded packets for non-44net IPs:
iptables -t raw -I PREROUTING -i tunl0 -m ttl --ttl-lt 2 -j DROP
iptables -t raw -I PREROUTING -s 44.0.0.0/8 -d 44.xxx.xxx.xxx/xx -i
tunl0 -m ttl --ttl-lt 2 -j ACCEPT
Those using OpenWRT, please test and confirm issue and its fix.
73,
-Lynwood
KB3VWG