Fwd: Re: Fwd: [CentOS] HOW to enable traceroute with IPTABLES

Robert Spangler

lazydog at zoominternet.net
Sun Feb 18 01:46:25 UTC 2007


Neil,

Doesn't look like my original message made it to the mailing list so here you 
are.

----------  Forwarded Message  ----------

Subject: Re: Fwd: [CentOS] HOW to enable traceroute with IPTABLES
Date: Sat February 17 2007 10:07
From: Robert Spangler <lazydog at zoominternet.net>
To: CentOS mailing list <centos at centos.org>

On Sat February 17 2007 03:11, Indunil Jayasooriya wrote:
>  > I am setting up a firewall on CENTOS 4.4.
>  >
>  >
>  > I have enabled ICMP to www.google.com
>  >
>  > iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT
>  > iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPT
>
>  traceroute uses by default UDP with port 33434.

While this is true for a starting point, this is not the whole story.

Traceroute starts on this port but every time it sends out a packet the port
number is increased automatically.  Why?  Simple, the TTL is exceeded so
traceroute sends out on the next port in numerical order.  Thus traceroute
needs more then 33434 open there should be a range of ports open.  Traceroute
does not always start on this port either I have found out.  Sometimes it
starts on a hight port but only by a few hopes.

>  I wrote below 2 rules
>
>  iptables -A OUTPUT -p udp -d 64.233.189.104 --dport 33434 -j ACCEPT
>  iptables -A INPUT -p udp -s 64.233.189.104 --sport 33434 -j ACCEPT

I have the following ( I do not restrict traceroute destination);

-A OUTPUT -o eth0 -p udp --dport 33200:33500 -m state --state NEW -j ACCEPT

Also you don't need the INPUT statement if you have ESTABLISHED,RELATED at
 the top of your INPUT chain.

>  Then I tried as below

[snip]

>  But Still the same.
>
>  WHY?

I placing my money on the port settings

>  IF my rules are wrong can you rectify it ?

See above.


--

Regards
Robert

Smile... it increases your face value!

-------------------------------------------------------


-- 

Regards
Robert

Smile... it increases your face value!



More information about the CentOS mailing list