Hide your openwrt router from traceroute

  • 0
  • May 19, 2017

Before we begin, we have to know about the principle of traceroute in order to hiding from it.

Principle of traceroute

According to wikipedia, traceroute sends a sequence of UDP packets or ICMP Echo request addressed to a destination host with a specified TTL value, when the packets arrived a new router, it’s ttl value will be decremented by one. Router will discard any packets whose TTL values has reached zero and returnthe ICMP error message <ICMP Time Exceeded> to the original address. Traceroute works by sending packets with gradually increasing TTL value, starting with TTL = 1, the first router receives the packet, and decrements the TTL value and drops the packet because it’s TTL reached zero, then the router sends an ICMP Time Exceeded message which contains router’s IP. By increasing packet’s original TTL value, traceroute will be able to find out different hops(router) of the packet.

 

General idea

Since IP of the router is sent back by the ICMP Time Exceeded message, we can just simply find a way to prevent our router from sending this kind of message out.

 

Implementation

Edit /etc/firewall.user and append this line to the end of the file

Notes:

We’re appending to output_rule is because this is a rule which has already predefined in openwrt’s firewall and you can look that up with <iptables -L -n -v>

W’re using –icmp-type=11 because according to this table: <https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol> An ICMP Time Exceeded message has a type = 11.

Final step

You can restart your firewall by executing </etc/init.d/firewall restart> or simply reboot the router to let things start working.

Leave a Reply