Re: traceroute

[Antony Stone <Antony@Soft-Solutions.co.uk>]

On Wednesday 30 June 2004 4:10 pm, Piszcz, Justin Michael wrote:

> ICMP is "allowed" when you -I INPUT ESTABLISHED,RELATED.
>
> You do not have to allow it explicitly (ie: allow icmp so other machines
> can ping your machine).

Please look at the rules which are being used:

$IPT -A FORWARD -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p UDP -m state --state ESTABLISHED,RELATED -j ACCEPT

They are explicitly accepting TCP and UDP only.   ICMP will not be matched by 
the above rules.

Regards,

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
> Sent: Wednesday, June 30, 2004 10:58 AM
> To: netfilter
> Subject: Re: traceroute
>
> On Wednesday 30 June 2004 3:34 pm, Piszcz, Justin Michael wrote:
> > -----Original Message-----
> > From: Peter Marshall [mailto:peter.marshall@caris.com]
> > Sent: Wednesday, June 30, 2004 10:25 AM
> > To: Piszcz, Justin Michael; netfilter
> > Subject: Re: traceroute
> >
> > I don't get anything (except the name lookup) from traceroute.
> >
> > Below are the relavant rules .... tracert is the ip of the box I am
> > trying to traceroute form.
> > The Ip of that box is an internet routable ip addess.
> >
> > $IPT -A FORWARD -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPT -A FORWARD -p UDP -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> > $IPT -A FORWARD -s <tracert box> -o eth1 -j rh-net
> > $IPT -A FORWARD -d <tracert box -i eth1 -j net-rh
> >
> > $IPT -A rh-net -s <tracert box> -j ACCEPT
> > $IPT -A net-rh -p UDP -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> You should allow ICMP packets through your system.
>
> You should certainly allow ICMP through if you want traceroute to work,
> and
> you should generally allow ICMP if you want many other things to work.
> If
> you want to block certain types of ICMP, that's fine (many people do),
> but
> don't block all ICMP.
>
> Traceroute works by sending either ICMP "ping" (echo request) packets,
> or UDP
> packets to high port numbers (which are assumed not to be listening),
> depending on the Operating System of the client doing the traceroute.
> In
> both cases the important response is an ICMP TTL exceeded packet, which
> contains the IP address of the router where TTL became == 0.
>
> Remember that firewalling can be a dangerous topic - if you block things
> you
> don't understand, and therefore don't know that you should allow, some
> things
> will break.
>
> Regards,
>
> Antony.

-- 
This is not a rehearsal.
This is Real Life.

                                                     Please reply to the list;
                                                           please don't CC me.