1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

iptables Allow Traceroute

Discussion in 'Plesk for Linux - 8.x and Older' started by Chris, May 19, 2005.

  1. Chris

    Chris Guest

    0
     
    I did some searching here and I found a thread with a good Plesk-friendly iptables script. That script is located here:
    http://www.sbctec.com/firewall/iptables.txt

    It is working nicely. The only problem for me is that it doesn't allow outside traceroutes to the server. How can I modify that script to allow outside traceroutes successfully?
     
  2. jamesyeeoc

    jamesyeeoc Guest

    0
     
    If you want to allow all ICMP -

    IPTABLES -A INPUT -p icmp -j ACCEPT

    If it's just traceroute you need, but not the rest, then specify

    IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
     
  3. Chris

    Chris Guest

    0
     
    Thanks, but that didn't seem to help. Added to the script and no change.

    I should mention I can ping okay but traceroutes to the server are timing out at the last hop for some reason.
     
  4. jamesyeeoc

    jamesyeeoc Guest

    0
     
    Ok, i've been up too late again, change your --icmp-type to 8

    I know this is for Echo-reply, but once this is enabled, traceroute works....

    According to all the literature, traceroute should be related to types 11 and 30, but I just did testing with one server and only got traceroute when I enabled type 8.
     
  5. Chris

    Chris Guest

    0
     
    Hmm... still no good. I tried positioning it at various points in the script but nothing worked. Traceroutes always start timing out at the last hop. If I type iptables -F the traceroute immediatly completes, so I know it's something in that script that's blocking them.

    One oddity I've discovered: It looks like traceroutes from Windows machines will go through fine, but traceroutes from Linux machines timeout at the last hop.
     
Loading...