Find the answer to your Linux question:
Results 1 to 2 of 2
hi on my ipsec gateway (debian stable) I have the following firewall script: Code: #!/bin/sh EXT_IF="eth0" INT_IF="eth1" LOCAL_LAN="192.168.114.0/24" REMOTE_LAN1="192.168.0.0/24" REMOTE_LAN2="192.168.1.0/24" REMOTE_LAN3="10.20.0.0/8" IPTABLES="/sbin/iptables" $IPTABLES -t mangle -F $IPTABLES -t mangle -X ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    cc
    cc is offline
    Linux Newbie
    Join Date
    Jun 2004
    Posts
    120

    howto disable traceroute using IPTABLES ?


    hi

    on my ipsec gateway (debian stable) I have the following firewall script:
    Code:
    #!/bin/sh
    
    EXT_IF="eth0"
    INT_IF="eth1"
    LOCAL_LAN="192.168.114.0/24"
    REMOTE_LAN1="192.168.0.0/24"
    REMOTE_LAN2="192.168.1.0/24"
    REMOTE_LAN3="10.20.0.0/8"
    IPTABLES="/sbin/iptables"
    
    $IPTABLES -t mangle -F
    $IPTABLES -t mangle -X
    $IPTABLES -t nat -F
    $IPTABLES -t nat -X
    $IPTABLES -F
    $IPTABLES -X
    
    case "$1" in
       start)
         echo -n "Starting firewall.." 
    
    #Flush then restrict
    $IPTABLES -F
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P INPUT DROP 
    $IPTABLES -P OUTPUT ACCEPT
    
    
    # Public Networks
    $IPTABLES -A INPUT -s 202.X.X.0/28 -j ACCEPT
    
    # Allowed Services
    $IPTABLES -A INPUT -p tcp -m multiport --dport 80,443 -i eth0 -j ACCEPT
    
    # Allow DNS
    $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
    $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
    
    # Allow FTP
    $IPTABLES -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
    
    # Allow SSH
    $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    
    # Allow access from LAN
    $IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to 202.X.X.10
    
    # Mark VPN packets
    $IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN
    
    $IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
    $IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
    $IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT
    
    $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    $IPTABLES -A INPUT -i eth1 -p icmp -j ACCEPT
    $IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
    $IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT
    
    $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
    $IPTABLES -A FORWARD -i $INT_IF -j ACCEPT
    
    # Allow loopback-device
    $IPTABLES -A INPUT -i lo -j ACCEPT
    
    # Spoof protection
    $IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP
    
    echo "..done"
         ;;
       stop)
         echo -n "Stopping firewall.."
         $IPTABLES -F
         $IPTABLES -P FORWARD DROP
         $IPTABLES -P OUTPUT ACCEPT
         $IPTABLES -P INPUT ACCEPT
         echo "done"
         ;;
       *)
         echo "Usage: $NAME {start|stop}"
         exit 1
         ;;
    esac
    howto add additional IPTABLES entry to disable traceroute from the external ?

  2. #2
    Just Joined!
    Join Date
    Sep 2005
    Location
    New delhi
    Posts
    22
    iptables -A FORWARD -p ICMP -i eth<0/1/2> --icmp-type 11 -j DROP
    or
    iptables -A FORWARD -p ICMP -i eth<0/1/2> --icmp-type 8 -j DROP
    (as dropping echo requests will simulaneously drop traceroute requests as well)

    Adding up input or output ethernet interface is for added convinience.

    You can "iptables -p ICMP -h" for rest of the codes.

    Amit sharma,
    http://amitsharma.linuxbloggers.com/portforwarding.htm

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •