On Wed, Mar 12, 2003 at 05:48:52PM -0500, Sapient2003 wrote: > I am trying to have iptables pick out traceroute packets. Windows uses > ICMP for it's traceroute, so I use this: > > iptables -t filter -A INPUT -p icmp -s 0/0 -d 10.0.0.1 --icmp-type > time-exceeded -j QUEUE > > Linux, however, uses both ICMP and UDP... How can I tell iptables to > look for UDP traceroute packets? You can't, without hacking the traceroute client to only use a very specific range of ports. We did this at one place I used to work when we had a non-stateful firewall. I guess the other possibility is to hack the traceroute client to put an actual, unique (enough), payload in the outgoing UDP packet, and then have an ipt kernel module looking for that. If you must tie down outgoing UDP such that you can't just use the statefulness of iptables/netfilter then I'd suggest trying to find a linux traceroute that does things the same way as the Windows one. -Ath -- - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/ Finger athan(at)fysh.org for PGP key "And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
Attachment:
pgp00374.pgp
Description: PGP signature
