[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Allowing outgoing traceroutes through NAT

Quoting Bill Moseley <moseley@hank.org>:

> [I posted a similar question on debian-user]
> I'm using the Debian package gshield to build my iptables firewall/NAT.
> With the firewall running I cannot run traceroutes through the NAT machine to
> external
> machines.  But, I am able to ping from the inside machine to external
> machines.
> I can run traceroutes form the NAT/Firewall machine anyplace.
> If I run
>   # /etc/init.d/gshield stop
>   # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $external_ip
> then I'm able to run the traceroutes from the inside machines through the NAT
> machine to 
> external IPs.  So it seems that gshield is blocking.
> I've enabled logging in the gShield.conf file, but I do not see the dropped
> traceroute 
> logged.
> Anyone familiar with gshield that might know what I need to configure? 
> Otherwise, what I 
> might need to do to allow traceroutes through?


Blocking traceroute
Traceroute typically uses udp ports 33435 to 33524 for the first 30 hops (for 
additional hops beyond that add 3 ports per hop). You need to allow these 
through firewalls or packet filters. Do not allow any vulnerable servers to use 
this port range inside your net. 

(Taken from http://www.freelabs.com/~whitis/isp_mistakes.html)



This mail sent through IMP: http://horde.org/imp/

Reply to: