Ina Patricia Lopez wrote: > how do i allow traceroute packets on my linux server with ipchains?
You can try this for testing: TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" #INCOMING TRACEROUTE ipchains -A input -p udp \ -s 0/0 $TRACEROUTE_SRC_PORTS \ -d $YOUR_IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l #OUTGOING TRACEROUTE ipchains -A output -p udp \ -s $YOUR_IPADDR $TRACEROUTE_SRC_PORTS \ -d 0/0 $TRACEROUTE_DEST_PORTS -j ACCEPT -l If this don't work try fiddling with the port numbers. 0/0 means anywhere. The long version is 0.0.0.0/0 The -l option at the end logs the packet. But a more secure way is to limit incoming traceroute to your ISP or NOC block address and then deny traceroute from anywhere else. This is what I've gathered from _Securing and Optimizing Linux_ book. See http://www.linuxdoc.org. Haven't gotten around to test this particular rule myself, really, since I haven't use it yet. (Oops, a potential hole? Paranoid speaking.) But the set of rules of which this is a part and which I tested do work for our web server. You may have to tweak it yourself. #INCOMING TRACEROUTE ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $YOUR_ISP $TRACEROUTE_SRC_PORTS \ -d $YOUR_IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s 0/0 $TRACEROUTE_SRC_PORTS \ -d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l #OUTGOING TRACEROUTE ipchains -A outptut -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $TRACEROUTE_SRC_PORTS \ -d 0/0 $TRACEROUTE_DEST_PORTS -j DENY -l EXTERNAL_INTERFACE may be eth0, eth1 or what have you if you want to be more specific with your rules and you have more than one Network card. You must also allow most icmp packets, especially those that tell of dest_unreachable and time_exceeded, for both input and output chains. Judging from the rules in the book it looks like traceroute works with ICMP. Correct me if I'm wrong, anyone. Hope this helps. -- Benjamin Oris Jr. ImagineAsia Animation Studio http://www.imagineasia.com _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
