Fwd: [CentOS] HOW to enable traceroute with IPTABLES
Indunil Jayasooriya
indunil75 at gmail.com
Mon Feb 19 05:00:20 UTC 2007
On 2/17/07, Robert Spangler <lazydog at zoominternet.net> wrote:
>
> On Sat February 17 2007 03:11, Indunil Jayasooriya wrote:
>
> > > I am setting up a firewall on CENTOS 4.4.
> > >
> > >
> > > I have enabled ICMP to www.google.com
> > >
> > > iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT
> > > iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPT
> >
> > traceroute uses by default UDP with port 33434.
>
> While this is true for a starting point, this is not the whole story.
>
> Traceroute starts on this port but every time it sends out a packet the
> port
> number is increased automatically. Why? Simple, the TTL is exceeded so
> traceroute sends out on the next port in numerical order. Thus traceroute
> needs more then 33434 open there should be a range of ports
> open. Traceroute
> does not always start on this port either I have found out. Sometimes it
> starts on a hight port but only by a few hopes.
>
> > I wrote below 2 rules
> >
> > iptables -A OUTPUT -p udp -d 64.233.189.104 --dport 33434 -j ACCEPT
> > iptables -A INPUT -p udp -s 64.233.189.104 --sport 33434 -j ACCEPT
>
> I have the following ( I do not restrict traceroute destination);
>
> -A OUTPUT -o eth0 -p udp --dport 33200:33500 -m state --state NEW -j
> ACCEPT
>
> Also you don't need the INPUT statement if you have ESTABLISHED,RELATED at
> the
> top of your INPUT chain.
I have included ESTABLISHED,RELATED at the top of your INPUT chain as below
#Allow established,related trafffic to come back
#(for OUTPUT traffic to come back)
iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state
ESTABLISHED,RELATED -j ACCEPT
But without an INPUT statament it does not work. BUT for TCP OUTPUT traffice
, that will be appilicalbe. But other than tcp (i.e UPD and ICMP ) I will
have to include a INPUT staement.
A few OUTPUT rules that I need INPUT statemet are give below. (not TCP)
#UDP
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
#ICMP (for ping www.google.com)
iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT
iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPT
And this is for TCP ( it does not nedd a INPUT satatment .it works fine)
iptables -A OUTPUT -p tcp -o eth0 --dport 22 -j ACCEPT
PLs expalin, why?
> Then I tried as below
>
> [snip]
>
> > But Still the same.
> >
> > WHY?
>
> I placing my money on the port settings
>
> > IF my rules are wrong can you rectify it ?
>
> See above.
>
>
> --
>
> Regards
> Robert
>
> Smile... it increases your face value!
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
--
Thank you
Indunil Jayasooriya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20070219/f2aca7e8/attachment.html>
More information about the CentOS
mailing list