Alexander Dalloz wrote:
But looking at your iptables rules chain it is obvious that all ICMP traffic in the INPUT chain is allowed and in the OUTPUT chain by policy too.
Curious indeed.
But not once we remember to read the traceroute man page... (Doh!)
Here's the relevant snippets:
-I Use ICMP ECHO instead of UDP datagrams.
-p Set the base UDP port number used in probes (default is 33434).
Traceroute hopes that nothing is listening on UDP ports base to
base + nhops - 1 at the destination host (so an ICMP
PORT_UNREACHABLE message will be returned to terminate the route
tracing). If something is listening on a port in the default
range, this option can be used to pick an unused port range.Adding the following as a second-to-last iptables entry will make a system more "traceroute-friendly" without giving away and potentially useful information to hostile network-probing types:
-A RH-Firewall-1-INPUT -m udp -p udp --dport 33434:33534 -j REJECT
That should be good for the system in question being up to the 100th traceroute hop. If you're tracing longer routes than that, adjust appropriately.
Happy tracing!
-Bevan Bennett Cranky Sysadmin
