UDP and ICMP traceroute

UDP and ICMP traceroute

[Sapient2003]

I am trying to have iptables pick out traceroute packets. Windows uses 
ICMP for it's traceroute, so I use this:

iptables -t filter -A INPUT -p icmp -s 0/0 -d 10.0.0.1 --icmp-type 
time-exceeded -j QUEUE

Linux, however, uses both ICMP and UDP... How can I tell iptables to 
look for UDP traceroute packets?

Re: UDP and ICMP traceroute

[Athan]

[-- Attachment #1: Type: text/plain, Size: 1239 bytes --]

On Wed, Mar 12, 2003 at 05:48:52PM -0500, Sapient2003 wrote:
> I am trying to have iptables pick out traceroute packets. Windows uses 
> ICMP for it's traceroute, so I use this:
> 
> iptables -t filter -A INPUT -p icmp -s 0/0 -d 10.0.0.1 --icmp-type 
> time-exceeded -j QUEUE
> 
> Linux, however, uses both ICMP and UDP... How can I tell iptables to 
> look for UDP traceroute packets?

  You can't, without hacking the traceroute client to only use a very
specific range of ports.  We did this at one place I used to work when
we had a non-stateful firewall.

  I guess the other possibility is to hack the traceroute client to put
an actual, unique (enough), payload in the outgoing UDP packet, and then
have an ipt kernel module looking for that.

  If you must tie down outgoing UDP such that you can't just use the
statefulness of iptables/netfilter then I'd suggest trying to find a
linux traceroute that does things the same way as the Windows one.

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]