LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-16-2006, 06:48 AM   #1
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,623

Rep: Reputation: 51
howto disable traceroute from the external using IPTABLES ?


hi

on my ipsec gateway (debian stable) I have the following firewall script:
Code:
#!/bin/sh

EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.114.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="10.20.0.0/8"
IPTABLES="/sbin/iptables"

$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -F
$IPTABLES -X

case "$1" in
   start)
     echo -n "Starting firewall.." 

#Flush then restrict
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP 
$IPTABLES -P OUTPUT ACCEPT


# Public Networks
$IPTABLES -A INPUT -s 202.X.X.0/28 -j ACCEPT

# Allowed Services
$IPTABLES -A INPUT -p tcp -m multiport --dport 80,443 -i eth0 -j ACCEPT

# Allow DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

# Allow FTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

# Allow SSH
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow access from LAN
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to 202.X.X.10

# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN

$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i eth1 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT

# Allow loopback-device
$IPTABLES -A INPUT -i lo -j ACCEPT

# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP

echo "..done"
     ;;
   stop)
     echo -n "Stopping firewall.."
     $IPTABLES -F
     $IPTABLES -P FORWARD DROP
     $IPTABLES -P OUTPUT ACCEPT
     $IPTABLES -P INPUT ACCEPT
     echo "done"
     ;;
   *)
     echo "Usage: $NAME {start|stop}"
     exit 1
     ;;
esac
howto add additional IPTABLES entry to disable traceroute from the external ?

Last edited by cccc; 08-16-2006 at 07:04 PM.
 
Old 08-16-2006, 01:55 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
i think you just need to add a rule that sends ICMP Type 11 (time exceeded) packets to DROP... there's also some traceroutes that use UDP instead of ICMP - but if you can send to DROP all UDP packets of state NEW going into your LAN, then that should take care of that...

Last edited by win32sux; 08-16-2006 at 01:59 PM.
 
Old 08-16-2006, 07:06 PM   #3
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,623

Original Poster
Rep: Reputation: 51
Quote:
Originally Posted by win32sux
i think you just need to add a rule that sends ICMP Type 11 (time exceeded) packets to DROP... there's also some traceroutes that use UDP instead of ICMP - but if you can send to DROP all UDP packets of state NEW going into your LAN, then that should take care of that...
thanks,

but can you post pls an example, how it should work.
 
Old 08-16-2006, 09:22 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by cccc
thanks,

but can you post pls an example, how it should work.
it would go something like this:
Code:
iptables -I FORWARD -p ICMP --icmp-type 11 -j DROP
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
howto disable runlevel 1 at boot sjoerdvvu Linux - Security 3 02-23-2006 03:35 AM
Howto disable automount feature in Mandrake 10.1 MJatIFAD Linux - General 6 09-27-2005 04:26 AM
[IPTABLES] Traceroute wesleywestervel Linux - Security 3 06-30-2005 02:32 PM
HOWTO - disable modules at boot lazlow69 Debian 4 01-21-2004 06:04 PM
IPTables err with TRACEROUTE hookem1994 Linux - Newbie 2 11-18-2003 08:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration