LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-22-2005, 08:47 AM   #1
wesleywestervel
LQ Newbie
 
Registered: Aug 2004
Posts: 13

Rep: Reputation: 0
[IPTABLES] Traceroute


I have a firwall that has a couple of server behind it, when i do a "traceroute" from a random client it also shows the firewall as a "hop".
Is it possible to set a rule in IPTABLES so the firewall doesn't show up as a hop when a traceroute is done ?
 
Old 06-23-2005, 01:13 AM   #2
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Yes, you just have to increment the TTL in packets coming from the internet.

Check to see if you have the patch-o-matic netfilter modules required to do this:
Code:
# ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/
ipt_XXX modules are targets you may use with -j in iptables(8)
and ipt_xxx are matches (for use with the -m option)

You must have ipt_TTL for this hack to work:
Code:
# /sbin/iptables -t mangle -I PREROUTING -i $INTERNET_IFACE -j TTL --ttl-inc 1
Having just ipt_ttl won't work because this module is only a match.

Run:
Code:
# /sbin/iptables -j TTL -h
# /sbin/iptables -m ttl -h
I don't know why iptables(8) gives help when some modules aren't present.
 
Old 06-30-2005, 01:41 AM   #3
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 52
All you need to do is get your firewall block ping (ICMP) packets.
Using iptables:
Code:
iptables -A INPUT -p icmp -m icmp -j DROP
 
Old 06-30-2005, 01:32 PM   #4
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Quote:
Originally posted by tkedwards
All you need to do is get your firewall block ping (ICMP) packets.
Using iptables:
Code:
iptables -A INPUT -p icmp -m icmp -j DROP
Don't you ever try this. This would block ALL ICMP, and not just ping (ICMP ECHO REPLY) packets. If you block all inbound ICMP, you won't receive ICMP replies, nor you can't traceroute any host outside of your LAN-

Standard traceroute uses UDP probes and (optionally) ICMP ECHO packets to ellicit ICMP TIME EXCEEDED from hops along the way. There's another package called tcptraceroute that uses TCP SYN's instead. They all expect an ICMP TIME EXCEEDED.

So, you only need to block TIME EXCEEDED messages for OUTPUT only.
Perhaps, you would want to block ICMP DESTINATION UNREACHABLE too for the UDP probes being sent to non-listening ports

If you don't care about the machines on your LAN being tracerouted, and you only want your router/firewall to appear stealthy, then apply the TTL hack above and never get your firewall to respond to packets from the internet.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
traceroute becky_starr Linux - Networking 1 03-17-2004 08:48 AM
traceroute mint567 Linux - Networking 3 11-23-2003 02:37 PM
IPTables err with TRACEROUTE hookem1994 Linux - Newbie 2 11-18-2003 07:50 AM
Using Traceroute david0321 Linux - Networking 9 12-25-2002 04:09 PM
traceroute tied2 Linux - Software 4 11-12-2002 11:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration