I don't get anything (except the name lookup) from traceroute. When I run a packet sniffer, I see the following (when doing a traceroute on www.google.com) source destination Proto me 216.239.41.99 UDP sourceport 1059 destination port 33435 3com 3com ARP who has <gatewayip> tell <my ip> 3com 3com ARP <gateway ip> is at <mac address> me 216.239.41.99 UDP soutceport: 1059 Destination port 33437 ...... traceroute to www.google.akadns.net (216.239.39.147), 30 hops max, 38 byte packets 1 * * * 2 * * * Below are the relavant rules .... tracert is the ip of the box I am trying to traceroute form. The Ip of that box is an internet routable ip addess. $IPT -A FORWARD -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -p UDP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -s <tracert box> -o eth1 -j rh-net $IPT -A FORWARD -d <tracert box -i eth1 -j net-rh $IPT -A rh-net -s <tracert box> -j ACCEPT $IPT -A net-rh -p UDP -m state --state ESTABLISHED,RELATED -j ACCEPT Thank you again, Peter. ----- Original Message ----- From: "Piszcz, Justin Michael" <justin.piszcz@xxxxxxxxxxxx> To: "netfilter" <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Wednesday, June 30, 2004 10:47 AM Subject: RE: traceroute Can you show me your firewall? Can you paste the blocks you are seeing? It does not get past the 1st hop, or? Post an example traceroute? -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Antony Stone Sent: Wednesday, June 30, 2004 9:29 AM To: netfilter Subject: Re: traceroute On Wednesday 30 June 2004 2:05 pm, Peter Marshall wrote: > Hi. I was wondering what I would need for rules to have traceroute work > through my firewall. (I have a box behind the firewall trying to get out > using traceroute). > > I have an allow established connections on my forwared chain, and I am > allowing anything from the source IP of the box in question to leave ... It > appears that the problem is on the packets comming back in .. but I am not > sure what I have to do to fix it .... Allow RELATED packets as well as ESTABLISHED. Regards, Antony. -- "It is easy to be blinded to the essential uselessness of them by the sense of achievement you get from getting them to work at all. In other words - and this is the rock solid principle on which the whole of the Corporation's Galaxy-wide success is founded - their fundamental design flaws are completely hidden by their superficial design flaws." - Douglas Noel Adams Please reply to the list; please don't CC me.
