Allowing outgoing traceroutes through NAT

To: debian-firewall@lists.debian.org
Subject: Allowing outgoing traceroutes through NAT
From: Bill Moseley <moseley@hank.org>
Date: Fri, 2 May 2003 14:04:46 -0700
Message-id: <[🔎] 20030502210446.GC10427@hank.org>
Mail-followup-to: debian-firewall@lists.debian.org

[I posted a similar question on debian-user]

I'm using the Debian package gshield to build my iptables firewall/NAT.

With the firewall running I cannot run traceroutes through the NAT machine to external
machines.  But, I am able to ping from the inside machine to external machines.

I can run traceroutes form the NAT/Firewall machine anyplace.

If I run

  # /etc/init.d/gshield stop
  # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $external_ip

then I'm able to run the traceroutes from the inside machines through the NAT machine to 
external IPs.  So it seems that gshield is blocking.

I've enabled logging in the gShield.conf file, but I do not see the dropped traceroute 
logged.

Anyone familiar with gshield that might know what I need to configure?  Otherwise, what I 
might need to do to allow traceroutes through?

Thanks,

-- 
Bill Moseley
moseley@hank.org

Reply to:

Follow-Ups:
- Re: Allowing outgoing traceroutes through NAT
  - From: Talon <megglestone@heritage.sd57.bc.ca>

Prev by Date: Re: need iptables rule to turn off ecn on a firewall
Next by Date: Re: Allowing outgoing traceroutes through NAT
Previous by thread: Re: need iptables rule to turn off ecn on a firewall
Next by thread: Re: Allowing outgoing traceroutes through NAT
Index(es):
- Date
- Thread