Traceroute response - solved

[Bevan C. Bennett]

Alexander Dalloz wrote:

> But looking at your iptables rules chain it is obvious that all ICMP
> traffic in the INPUT chain is allowed and in the OUTPUT chain by policy
> too.
> 
> Curious indeed.

But not once we remember to read the traceroute man page... (Doh!)

Here's the relevant snippets:

-I     Use ICMP ECHO instead of UDP datagrams.

-p     Set the base UDP port number used in probes (default is  33434).
        Traceroute  hopes that nothing is listening on UDP ports base to
        base  +  nhops  -  1  at  the  destination  host  (so  an   ICMP
        PORT_UNREACHABLE message will be returned to terminate the route
        tracing).  If something is listening on a port  in  the  default
        range, this option can be used to pick an unused port range.

Adding the following as a second-to-last iptables entry will make a 
system more "traceroute-friendly" without giving away and potentially 
useful information to hostile network-probing types:

-A RH-Firewall-1-INPUT -m udp -p udp --dport 33434:33534 -j REJECT

That should be good for the system in question being up to the 100th 
traceroute hop. If you're tracing longer routes than that, adjust 
appropriately.

Happy tracing!

-Bevan Bennett
  Cranky Sysadmin