On Fri, May 20, 2005 at 02:44:14AM -0500, Taylor, Grant wrote:
> I just figured it out and have tested it. I *think* the reason that my
> first script did not work for the first router is b/c the raw routing code
> will send the ICMP TTL time exceeded message before any of the chains in
> the filter table have a chance to process the packet. Hens my using the
> nat:PREROUTING chain. I have also made the filtering process easier too as
> you do not have to filter in the filter:INPUT and filter:FORWARD chains,
> just the nat:PREROUTING now.
>
> iptables -t nat -A PREROUTING -i $LAN -p udp -m recent --name
> Drop_Traceroute --update --seconds 200 --rdest -j DROP
> iptables -t nat -A PREROUTING -i $LAN -p udp -m recent --name
> Drop_Traceroute --set --rdest -m ttl --ttl-eq 1 -j DROP
> iptables -t nat -A PREROUTING -i $LAN -p icmp -m recent --name
> Drop_Traceroute --update --seconds 200 --rdest -j DROP
> iptables -t nat -A PREROUTING -i $LAN -p icmp -m recent --name
> Drop_Traceroute --set --rdest -m ttl --ttl-eq 1 -j DROP
>
> This will prevent any traceroutes via the methods mentioned before from any
> computer coming in on interface $LAN.
please do this in -t mangle PREROUTING and not -t nat. filtering in
-t nat is poor form, and i know lots of people are probably emulating
your scripts.
-j
--
"Kevin: Dad, the fish got away.
Joe Swanson: The hell it did. You get in there and you kick that
fish's ass."
--Family Guy
