Thanx Anthony & Davis
I did not resolved my problem yet but with these two rules it works (i don't know why !!!)
iptables -A INPUT -i eth0 -p icmp --icmp-type 11 -s $internet -d $extfw -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -s $extfw --sport 32769:65535 -d $internet --dport 33434:33523 -j ACCEPT
The logs seems to show that my traceroute uses udp ...
May 20 18:32:30 linuxfw kernel: IN= OUT=eth0 SRC="x.y.z.195" DST=a.b.c.71 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=4969 DF PROTO=UDP SPT=1066 DPT=53 LEN=53
May 20 18:32:30 linuxfw kernel: IN= OUT=eth0 SRC="x.y.z.195" DST=a.b.c.71 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=4982 DF PROTO=UDP SPT=1066 DPT=53 LEN=53
May 20 18:32:30 linuxfw kernel: IN= OUT=eth0 SRC="x.y.z.195" DST=a.b.c.71 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=4995 DF PROTO=UDP SPT=1066 DPT=53 LEN=53
but when i disable the icmp-type 11 it doesn't work anymore.
Is it normal that traceroute also needs outgoing connection from port 32769:65535 to 33434:33523 ?
Will that also work if i have win workstation behind my firewall ?
Are these two rules safe or should i improve them with a state flag ?
And if i'd like people to traceroute my machines behind the firewall, is it possible to hide the fw, and how ?
Ps : i use the woody
Antony Stone <[EMAIL PROTECTED]> a �crit :
On Monday 20 May 2002 4:38 pm, Miky J wrote:
> Hi i've been looking how to let traceroute go throught the firewall, but
> all the documentation i find is different one to another.
That's because there are different forms of traceroute :-)
Some send ICMP echo requests, some send UDP packets.
To find out which one your machines use (it depends on the operating system),
put a LOG entry into your firewall with a source address of the machine
you're tracerouting from, and then do a traceroute to somewhere.
The firewall logs will tell you what sort of packets it saw (and presumably
blocked, otherwise you wouldn't be having the problem...)
iptables -A FORWARD -s aa.bb.cc.dd -j LOG
where aa.bb.cc.dd is the IP address of the machine you run the traceroute
command on.
Then you can put in an appropriate rule to allow the packets you want.
I presume you don't want people from the outside to be able to traceroute
into your network, so you're only allowing some additional outbound traffic
(and the corresponding RELATED replies - not a big security risk).
Antony.
Yahoo! Mail -- Une adresse @yahoo.fr gratuite et en fran�ais !
