howto disable traceroute from the external using IPTABLES ? [Archive]

Click to See Complete Forum and Search --> : howto disable traceroute from the external using IPTABLES ?

ccc

08-16-2006, 06:50 AM

hi

on my ipsec gateway (debian stable) I have the following firewall script:
#!/bin/sh

EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.114.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="10.20.0.0/8"
IPTABLES="/sbin/iptables"

$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -F
$IPTABLES -X

case "$1" in
start)
echo -n "Starting firewall.."

#Flush then restrict
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT

# Public Networks
$IPTABLES -A INPUT -s 202.X.X.0/28 -j ACCEPT

# Allowed Services
$IPTABLES -A INPUT -p tcp -m multiport --dport 80,443 -i eth0 -j ACCEPT

# Allow DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

# Allow FTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

# Allow SSH
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow access from LAN
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to 202.X.X.10

# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN

$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i eth1 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT

# Allow loopback-device
$IPTABLES -A INPUT -i lo -j ACCEPT

# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP

echo "..done"
;;
stop)
echo -n "Stopping firewall.."
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
echo "done"
;;
*)
echo "Usage: $NAME {start|stop}"
exit 1
;;
esac

howto add additional IPTABLES entry to disable traceroute from the external ?

bwkaz

08-16-2006, 06:14 PM

First: Why? Why would disabling an extremely-useful troubleshooting tool ever be a good idea? :)

Second: I'm not sure you can; the traceroute program doesn't use its own protocol, or its own port. (Well, some common executables might use their own UDP port. But the general idea, of sending packets and listening for ICMP time-exceeded messages, is independent of any layer-4 protocol. As long as IP packets are allowed through in some form, some people will be able to traceroute through the firewall somehow. If they just take whatever traffic is allowed, and modify their traceroute program to impersonate that traffic except change the TTL values, it'll work.)

ccc

08-16-2006, 07:03 PM

thanks !

maybe for a little be more security,
I should add a rule that sends ICMP Type 11 (time exceeded) packets to DROP...
there's also some traceroutes that use UDP instead of ICMP

knows someone how it should work and can post a code pls ?

p.s.
by the way is it my firewall script OK or should I change something on this script ?
I'm using as internet router for windows clients with ipsec gateway and as public web & DNS server.

bwkaz

08-17-2006, 07:09 PM

maybe for a little be more security,
I should add a rule that sends ICMP Type 11 (time exceeded) packets to DROP. No, because if you do that, then someone trying to route through your router will have various things break. First and foremost is traceroute (which you want to turn off -- though you still haven't said why), but second is probably path MTU discovery. At least one IPsec implementation requires correct handling of path MTU requests, or otherwise the end-user system has to manually lower its MTU to the lowest MTU on the path. (This manual setting is what path MTU discovery is supposed to find out, and it's supposed to be automatic.)

there's also some traceroutes that use UDP instead of ICMP No, not really. All traceroute programs use ICMP, and most also use UDP. Most send a UDP datagram to a port that probably (but not necessarily!) is not listening on the other end. They make sure that the first packet has a TTL value (in the IP header) of one. Then they listen for the ICMP time-exceeded datagram. If they get one, then they move on to the next gateway (by bumping the TTL), and print some kind of timing information.

You can't legitimately block the incoming traceroute, because it can be any valid IP packet. For instance, you say you want this machine to be an IPsec gateway -- if that's what I think it is, then anyone could send a UDP packet on port 500 (which is the port used for IKE, which sets up IPsec associations), and use that type of packet to do their route tracing.

So since it's pointless to try to block the incoming request, why even bother? Why is it supposedly more secure to block traceroutes?