[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Traceroute not working through gshield NAT

On Thu May 01, 2003 at 05:23:07PM -0700, nate wrote:
> Bill Moseley said:
> 
> > $ traceroute debian.org
> > traceroute to debian.org (192.25.206.10), 30 hops max, 38 byte packets
> >  1  * * *
> 
> try
> 
> traceroute -n www.debian.org
> traceroute -I www.debian.org

No, it's not that.  The traceroute just isn't getting through my gshield firewall, and I'm 
wondering how to config gshield to allow traceroute.

I can run traceroute from the Firewall/NAT machine just fine, just not from within the 
NAT'ed LAN.

If I run 

  # /etc/init.d/gshield stop
  # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $external_ip

then I can run traceroutes from inside the NAT'ed network.  So gsheild is blocking.

Ping, on the other hand, does work from inside the net.

And setting in gshield:

DEFAULT_LOGGING="YES"

does not log the blocked traceroute.

So, so in summary, with gshield running:

>From the Firewall/NAT machine I can ping and traceroute to both internal and external hosts.

>From the internal machines I can ping everywhere.  I can only traceroute as far as the 
Firewall/NAT machine.



Thanks,

-- 
Bill Moseley
moseley@hank.org
Reply to: