[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Traceroute not working through gshield NAT

On Thu May 01, 2003 at 05:23:07PM -0700, nate wrote:
> Bill Moseley said:
> > $ traceroute debian.org
> > traceroute to debian.org (, 30 hops max, 38 byte packets
> >  1  * * *
> try
> traceroute -n www.debian.org
> traceroute -I www.debian.org

No, it's not that.  The traceroute just isn't getting through my gshield firewall, and I'm 
wondering how to config gshield to allow traceroute.

I can run traceroute from the Firewall/NAT machine just fine, just not from within the 

If I run 

  # /etc/init.d/gshield stop
  # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $external_ip

then I can run traceroutes from inside the NAT'ed network.  So gsheild is blocking.

Ping, on the other hand, does work from inside the net.

And setting in gshield:


does not log the blocked traceroute.

So, so in summary, with gshield running:

>From the Firewall/NAT machine I can ping and traceroute to both internal and external hosts.

>From the internal machines I can ping everywhere.  I can only traceroute as far as the 
Firewall/NAT machine.


Bill Moseley

Reply to: