fwbuilder, iptables & traceroute

From: Martin Roy (martin.roy_at_gmail.com)
Date: 11/18/04 

Date: 18 Nov 2004 09:06:44 -0800

Hi,

I have an iptables rule set to allow ICMP unreachables (Rule 0) and
also allow all other traffic (Rule 1) (it's in a lab so I don't care
about security right now). I built my ruleset using fwbuilder.

Rule 0 allows me to traceroute to the firewall and it responds:

traceroute Dom01
traceroute: Warning: Multiple interfaces found; using 206.116.76.131 @
hme0
traceroute to nmDomNATfw01 (137.1.4.2), 30 hops max, 40 byte packets
 1 206.116.76.156 2.389 ms 3.869 ms 3.309 ms
 2 139.40.0.2 3.253 ms 0.769 ms 0.604 ms
 3 137.1.4.2 0.611 ms 0.542 ms 0.579 ms

If I traceroute through the firewall, it does not respond to
traceroute:

traceroute gearLINNE_s01
traceroute: Warning: Multiple interfaces found; using 206.116.76.131 @
hme0
traceroute to gearLINNE_s01 (132.52.145.5), 30 hops max, 40 byte
packets
 1 206.116.76.156 2.935 ms 2.385 ms 1.834 ms
 2 139.40.0.2 3.161 ms 0.785 ms 0.559 ms
 3 * * *
 4 132.52.145.5 4.510 ms 1.262 ms 1.085 ms

How can I fix this?

Here is my rule set as generated by fwbuilder:

Rule 0(global)
+ iptables -N Cid419B703B.0
+ iptables -A INPUT -p icmp --icmp-type 3 -m state --state NEW -j
Cid419B703B.0
+ iptables -A Cid419B703B.0 -s 206.116.76.179 -j ACCEPT
+ iptables -A Cid419B703B.0 -s 206.116.76.128/27 -j ACCEPT
+ iptables -N Cid419B703B.1
+ iptables -A FORWARD -p icmp --icmp-type 3 -m state --state NEW -j
Cid419B703B.1
+ iptables -A Cid419B703B.1 -s 206.116.76.179 -j ACCEPT
+ iptables -A Cid419B703B.1 -s 206.116.76.128/27 -j ACCEPT
+ echo 'Rule 1(global)'
Rule 1(global)
+ iptables -A OUTPUT -m state --state NEW -j ACCEPT
+ iptables -A INPUT -m state --state NEW -j ACCEPT
+ iptables -A FORWARD -m state --state NEW -j ACCEPT
+ echo 1

Thanks

Martin

Relevant Pages

  • fwbuilder, iptables & traceroute
    ... Rule 0 allows me to traceroute to the firewall and it responds: ... Here is my rule set as generated by fwbuilder: ... iptables -N Cid419B703B.0 ... echo 'Rule 1' ...
    (comp.os.linux.security)
  • fwbuilder, iptables & traceroute
    ... Rule 0 allows me to traceroute to the firewall and it responds: ... Here is my rule set as generated by fwbuilder: ... iptables -N Cid419B703B.0 ... echo 'Rule 1' ...
    (comp.security.firewalls)
  • Re: traceroute error !<10>
    ... > to find the reason for that traceroute behaviour. ... It is clearly the default Fedora firewall (iptables) setup which causes ... from my one Fedora Core host with IP ... So the reason for your observation is cleared. ...
    (Fedora)
  • Re: IP Forwarding problem
    ... iptables -t nat -F ... Maybe Redhat's default firewall rule set made you confused. ... > I have a RedHat 9 system set up. ... I am able to see the Linux box from the Windows machines on ...
    (comp.os.linux.networking)
  • Re: iptables bug?
    ... >firewall to accept outgoing UDP packets on ports 33434+x. ... at this time a traceroute from my local network to an external ... >Am I doing something wrong or is it even an iptables bug? ...
    (comp.os.linux.security)