Re: Allowing outgoing traceroutes through NAT
On Fri, May 02, 2003 at 02:47:23PM -0700, Talon wrote:
>
> Blocking traceroute
> Traceroute typically uses udp ports 33435 to 33524 for the first 30 hops (for
> additional hops beyond that add 3 ports per hop). You need to allow these
> through firewalls or packet filters. Do not allow any vulnerable servers to use
> this port range inside your net.
>
> (Taken from http://www.freelabs.com/~whitis/isp_mistakes.html)
One problem is I do not know iptables well, so I'm using a firewall package. But of course
that isolates me farther from what's happening...
So I guess I'm not clear where I need to look. Perhaps it's easier to show part of my
setup:
My INPUT chain includes:
ACCEPT icmp -- anywhere anywhere limit: avg 1/sec burst 5
ACCEPT udp -- anywhere anywhere udp spts:32769:65535 dpts:33434:33523
Chain FORWARD (policy DROP)
target prot opt source destination
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ns
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ns
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-dgm
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-dgm
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ssn
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ssn
STATEFUL all -- anywhere anywhere
Chain STATEFUL (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROPnLOG all -- anywhere anywhere
And my OUTPUT is:
arget prot opt source destination
loopback all -- anywhere anywhere
DROP icmp -- anywhere anywhere state INVALID
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ns
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ns
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-dgm
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-dgm
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ssn
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ssn
--
Bill Moseley
moseley@hank.org
Reply to: