iptables Allow Traceroute

[Chris]

I did some searching here and I found a thread with a good Plesk-friendly iptables script. That script is located here:
http://www.sbctec.com/firewall/iptables.txt

It is working nicely. The only problem for me is that it doesn't allow outside traceroutes to the server. How can I modify that script to allow outside traceroutes successfully?

 

[jamesyeeoc]

If you want to allow all ICMP -

IPTABLES -A INPUT -p icmp -j ACCEPT

If it's just traceroute you need, but not the rest, then specify

IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT

 

[Chris]

Thanks, but that didn't seem to help. Added to the script and no change.

I should mention I can ping okay but traceroutes to the server are timing out at the last hop for some reason.

 

[jamesyeeoc]

Ok, i've been up too late again, change your --icmp-type to 8

I know this is for Echo-reply, but once this is enabled, traceroute works....

According to all the literature, traceroute should be related to types 11 and 30, but I just did testing with one server and only got traceroute when I enabled type 8.

 

[Chris]

Hmm... still no good. I tried positioning it at various points in the script but nothing worked. Traceroutes always start timing out at the last hop. If I type iptables -F the traceroute immediatly completes, so I know it's something in that script that's blocking them.

One oddity I've discovered: It looks like traceroutes from Windows machines will go through fine, but traceroutes from Linux machines timeout at the last hop.