Re: Allowing outgoing traceroutes through NAT
Quoting Bill Moseley <moseley@hank.org>:
> [I posted a similar question on debian-user]
>
> I'm using the Debian package gshield to build my iptables firewall/NAT.
>
> With the firewall running I cannot run traceroutes through the NAT machine to
> external
> machines. But, I am able to ping from the inside machine to external
> machines.
>
> I can run traceroutes form the NAT/Firewall machine anyplace.
>
> If I run
>
> # /etc/init.d/gshield stop
> # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $external_ip
>
> then I'm able to run the traceroutes from the inside machines through the NAT
> machine to
> external IPs. So it seems that gshield is blocking.
>
> I've enabled logging in the gShield.conf file, but I do not see the dropped
> traceroute
> logged.
>
> Anyone familiar with gshield that might know what I need to configure?
> Otherwise, what I
> might need to do to allow traceroutes through?
Hi,
Blocking traceroute
Traceroute typically uses udp ports 33435 to 33524 for the first 30 hops (for
additional hops beyond that add 3 ports per hop). You need to allow these
through firewalls or packet filters. Do not allow any vulnerable servers to use
this port range inside your net.
(Taken from http://www.freelabs.com/~whitis/isp_mistakes.html)
hth,
Cheers,
Mike
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
Reply to: