Traceroute response - solved
Bevan C. Bennett
bevan at fulcrummicro.com
Tue Jan 6 02:48:04 UTC 2004
Alexander Dalloz wrote:
> But looking at your iptables rules chain it is obvious that all ICMP
> traffic in the INPUT chain is allowed and in the OUTPUT chain by policy
> too.
>
> Curious indeed.
But not once we remember to read the traceroute man page... (Doh!)
Here's the relevant snippets:
-I Use ICMP ECHO instead of UDP datagrams.
-p Set the base UDP port number used in probes (default is 33434).
Traceroute hopes that nothing is listening on UDP ports base to
base + nhops - 1 at the destination host (so an ICMP
PORT_UNREACHABLE message will be returned to terminate the route
tracing). If something is listening on a port in the default
range, this option can be used to pick an unused port range.
Adding the following as a second-to-last iptables entry will make a
system more "traceroute-friendly" without giving away and potentially
useful information to hostile network-probing types:
-A RH-Firewall-1-INPUT -m udp -p udp --dport 33434:33534 -j REJECT
That should be good for the system in question being up to the 100th
traceroute hop. If you're tracing longer routes than that, adjust
appropriately.
Happy tracing!
-Bevan Bennett
Cranky Sysadmin
More information about the fedora-list
mailing list