iptables allow traceroute / axip / rip protocol

#!/bin/bash
ipt="/sbin/iptables"
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
# Ampr.org
# Port 520 RIP,Routing protocol
$ipt -A INPUT -p udp --dport 520 -j ACCEPT
# Allow traceroute. Je moet de udp poort 33434 en 33523 niet droppen. Een reject is goed.
# Als je hem dropt wordt een traceroute niet mogelijk
$ipt -A INPUT -p icmp --icmp-type 8 -j ACCEPT
$ipt -A INPUT -p udp --dport 33434:33523 -j REJECT
# Proto 4 = IPv4 encapsulation / Proto 93 = ax.25 / Proto 94 = IPIP
# Hier wordt alles toegelaten van en naar het 44 netwerk.
# Wil je alleen het 44net toelaten
# $ipt –I INPUT –s ACCEPT –s 44.0.0.0/8 –d 44.0.0.0/8
#
$ipt -I INPUT -j ACCEPT -s 44.0.0.0/8 -d 0.0.0.0
$ipt -I INPUT -j ACCEPT -s 0.0.0.0 -d 44.0.0.0/8
$ipt -I FORWARD -j ACCEPT -s 44.0.0.0/8 -d 0.0.0.0/0
$ipt -I FORWARD -j ACCEPT -s 0.0.0.0/0 -d 44.0.0.0/8
$ipt -I INPUT -j ACCEPT --proto 4
$ipt -I INPUT -j ACCEPT --proto 93
$ipt -I INPUT -j ACCEPT --proto 94
$ipt -I FORWARD -j ACCEPT --proto 4
$ipt -I FORWARD -j ACCEPT --proto 94
$ipt -I FORWARD -j ACCEPT --proto 93

 

Allowing traceroutes to succeed with iptables

Traceroute from Windows machines typically uses ICMP Type 8 packets.  Traceroute from Unixlike machines typically uses UDP packets with sequentially increasing destination ports, from 33434 to 33534.  So your server (the traceroute destination) must not drop incoming ICMP Type 8 or UDP 33434:33534.

Here’s where it gets tricky: it really doesn’t need to accept those packets either, which the vast majority of sites addressing this issue recommends.  It just needs to be able to reject them, which won’t happen if they’re being dropped.  If you implement the typical advice – accepting those packets – traceroute basically ends up sort of working by accident: those ports shouldn’t be in use by any running applications, and since nothing is monitoring them, the server will issue an ICMP Type 3 response (destination unreachable).  However, if you’re accepting packets to these ports, then a rogue application listening on those ports also becomes reachable – which is the sort of thing your firewall should be preventing in the first place.

The good news is, DROP and ACCEPT aren’t your only options – you can REJECT these packets instead, which will do exactly what we want here: allow traceroutes to work properly without also potentially enabling some rogue application to listen on those UDP ports.

So all you really need on your server to allow incoming traceroutes to work properly is:

# allow ICMP Type 8 (ping, ICMP traceroute)
-A INPUT -p icmp --icmp-type 8 -j ACCEPT
# enable UDP traceroute rejections to get sent out
-A INPUT -p udp --dport 33434:33523 -j REJECT