Managing TTL in Ubuntu: From Theory to Practice
Published on 2026-03-04
TTL (Time To Live) — is an eight-bit field in the IP header that defines the maximum number of “hops” (nodes) a packet can traverse before being discarded. Each time it passes through any router the TTL value is decreased by 1.
Typical default TTL values
Different operating systems use different initial values. This allows remote OS fingerprinting.
| Operating system | Default TTL |
|---|---|
| Windows (all versions) | 128 |
| Linux (Ubuntu, Debian, CentOS, etc.) | 64 |
| Android | 64 |
| iOS / macOS | 64 |
| FreeBSD / Solaris | 255 |
Why change TTL? Usage patterns
1. Bypassing tethering restrictions (internet sharing)
The most common scenario. Mobile carriers analyze incoming traffic.
If a packet from a smartphone arrives with TTL 64 — that’s normal. If you share internet to a laptop (also with TTL 64), the packet passes through the smartphone (acting as a router), and its TTL becomes 63.
The carrier sees a “non-standard” value and:
- blocks tethering,
- limits bandwidth,
- or charges an extra fee.
Solution:
- force the endpoint device to set TTL to 65,
- or configure
iptableson the smartphone/router to compensate for the TTL decrement.
2. Masquerading as a different OS
If a Linux server should appear to external scanners as a Windows machine, set the TTL to 128. This confuses passive traffic analysis tools and complicates OS fingerprinting.
3. Protection against tracing (Traceroute)
If you set a low TTL (e.g., 1–3), packets won’t leave the local network segment or the nearest gateway. This makes it impossible to map the network from outside using standard tools.
Practical configuration via iptables
The mangle table is used to work with TTL.
All commands require sudo privileges.
Basic commands
Setting a fixed value
# Set TTL 64 for all outgoing packets
sudo iptables -t mangle -A POSTROUTING -j TTL --ttl-set 64
Increment (increase TTL)
If you need the packet to leave the device with the same value it arrived with (compensating for the decrement when forwarding):
sudo iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-inc 1
Per-user separation (owner module)
On Linux you can segment traffic by UID (User ID). This is especially useful:
- if different services run on the same server,
- if different network behavior is required,
- if you need to mask only part of the traffic.
1. For a system user (for example, UID 1001)
sudo iptables -t mangle -A OUTPUT -m owner --uid-owner 1001 -j TTL --ttl-set 128
2. For a web server (user www-data)
sudo iptables -t mangle -A OUTPUT -m owner --uid-owner www-data -j TTL --ttl-set 64
3. Excluding a user
You can set a rule for everyone except a specific account:
sudo iptables -t mangle -A OUTPUT -m owner ! --uid-owner 1000 -j TTL --ttl-set 65
Working with IPv6 (Hop Limit)
In IPv6 the TTL field is renamed to Hop Limit.
Management is done with the ip6tables utility. The principle is identical.
Example for a specific user in IPv6
sudo ip6tables -t mangle -A OUTPUT -m owner --uid-owner 1001 -j HL --hl-set 64
Checking and automation
Viewing current rules
sudo iptables -t mangle -L -v -n --line-numbers
Saving configuration
On Ubuntu, iptables rules are reset after reboot.
To save them:
# Installation (if not installed)
sudo apt install iptables-persistent
# Saving current rules
sudo netfilter-persistent save
Rules will be written to:
/etc/iptables/rules.v4/etc/iptables/rules.v6
Files can be edited manually, after which apply the changes:
sudo netfilter-persistent reload
Conclusion
Managing TTL and Hop Limit is not just a “hack for internet sharing”, but a full-fledged network engineering tool.
It is used for:
- bypassing carrier restrictions,
- masking the network stack,
- traffic segmentation,
- limiting the propagation scope of packets,
- building custom network policies.
In DevOps and infrastructure automation such mechanisms are often used as part of a more complex scheme — together with policy routing, mark-based routing and advanced netfilter rules.