On Monday 20 May 2002 4:38 pm, Miky J wrote: > Hi i've been looking how to let traceroute go throught the firewall, but > all the documentation i find is different one to another.
That's because there are different forms of traceroute :-) Some send ICMP echo requests, some send UDP packets. To find out which one your machines use (it depends on the operating system), put a LOG entry into your firewall with a source address of the machine you're tracerouting from, and then do a traceroute to somewhere. The firewall logs will tell you what sort of packets it saw (and presumably blocked, otherwise you wouldn't be having the problem...) iptables -A FORWARD -s aa.bb.cc.dd -j LOG where aa.bb.cc.dd is the IP address of the machine you run the traceroute command on. Then you can put in an appropriate rule to allow the packets you want. I presume you don't want people from the outside to be able to traceroute into your network, so you're only allowing some additional outbound traffic (and the corresponding RELATED replies - not a big security risk). Antony.
