On Wednesday 30 June 2004 3:34 pm, Piszcz, Justin Michael wrote: > -----Original Message----- > From: Peter Marshall [mailto:peter.marshall@xxxxxxxxx] > Sent: Wednesday, June 30, 2004 10:25 AM > To: Piszcz, Justin Michael; netfilter > Subject: Re: traceroute > > I don't get anything (except the name lookup) from traceroute. > > Below are the relavant rules .... tracert is the ip of the box I am > trying to traceroute form. > The Ip of that box is an internet routable ip addess. > > $IPT -A FORWARD -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPT -A FORWARD -p UDP -m state --state ESTABLISHED,RELATED -j ACCEPT > > $IPT -A FORWARD -s <tracert box> -o eth1 -j rh-net > $IPT -A FORWARD -d <tracert box -i eth1 -j net-rh > > $IPT -A rh-net -s <tracert box> -j ACCEPT > $IPT -A net-rh -p UDP -m state --state ESTABLISHED,RELATED -j ACCEPT You should allow ICMP packets through your system. You should certainly allow ICMP through if you want traceroute to work, and you should generally allow ICMP if you want many other things to work. If you want to block certain types of ICMP, that's fine (many people do), but don't block all ICMP. Traceroute works by sending either ICMP "ping" (echo request) packets, or UDP packets to high port numbers (which are assumed not to be listening), depending on the Operating System of the client doing the traceroute. In both cases the important response is an ICMP TTL exceeded packet, which contains the IP address of the router where TTL became == 0. Remember that firewalling can be a dangerous topic - if you block things you don't understand, and therefore don't know that you should allow, some things will break. Regards, Antony. -- Anything that improbable is effectively impossible. - Murray Gell-Mann, Nobel Prizewinner in Physics Please reply to the list; please don't CC me.
