Networking

Re: howto disable traceroute using IPTABLES ?

 
SOLVED
Go to solution
'chris'
Super Advisor

howto disable traceroute using IPTABLES ?

hi

on my ipsec gateway (debian stable) I have the following firewall script:

#!/bin/sh

EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.114.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="10.20.0.0/8"
IPTABLES="/sbin/iptables"

$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -F
$IPTABLES -X

# in case of stop

#case $1 in

# stop )

#$IPTABLES -P INPUT ACCEPT
#$IPTABLES -P FORWARD ACCEPT
#$IPTABLES -P OUTPUT ACCEPT

#exit0

#;;

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT


# Public Networks
$IPTABLES -A INPUT -s 202.X.X.0/28 -j ACCEPT

# Allowed Services
$IPTABLES -A INPUT -p tcp -m multiport --dport 80,443 -i eth0 -j ACCEPT

# Allow DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

# Allow FTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

# Allow SSH
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow access from LAN
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to 202.X.X.10

# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN

$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i eth1 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT

# Allow loopback-device
$IPTABLES -A INPUT -i lo -j ACCEPT

# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP




howto add additional IPTABLES entry to disable traceroute ?

kind regards
chris
12 REPLIES 12
Alexander Samad
Frequent Advisor
Solution

Re: howto disable traceroute using IPTABLES ?

Hi

you do not need

$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT

as related or established packet never make it to the nat table again after the inital packet.

if memory serves me correctly tracert is done by setting the ttl of each packet to 1 then to 2 etc etc and each router on the path send back an icmp (not sure which one) to advise the packet died in transit.

You could filter out the outbound packets, but there are tcp tracert programs and of course udp (this is the default type ). haven't read the rfc lately to remember if there is a predefined port so you could block outbound UDP. You could just block all outbound UDP, except for the ones you want like 53

The other approach is to block the return information, the icmp.

All depends on why your trying to block it.

But basic firewall primciple, block all and only specifically allow what you want.


Steven E. Protter
Exalted Contributor

Re: howto disable traceroute using IPTABLES ?

Shalom,

Block ports 8 and 11 and ping and traceroute will no longer work.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
g33k
Valued Contributor

Re: howto disable traceroute using IPTABLES ?

as Alex already said...

traceroute sends UDP packets with ttl=1 to get first layer3 device on route ttl=2 to get second and and so one to the target, because of ttl=0 on device device will send back ICMP message time exceeded(I don't remember the code but google surely knows). Becuase of UDP packets there need to be specified port(default is 33434) for first outgoing packet and increments(+1)others so last packet is is going to port 33434+hop_count-1. Ofcourse you can use -p 53 to start on port 53, newer version have also some option to not increment, so all traceroute packets will go on port 53(which is DNS and it's not good idea to block this port).
All this is valid for tracert(unix traceroute).
Windows traceroute do the same but do use ICMP packets instead of UDP. So for windows traceroute just block ICMP.
Unix tracert have also option -I which force tracert to send ICMP, but as I said default is UDP.

I hope this information will help you to do the best rules you need.

Also rememebre that there is tcptraceroute utility which is using TCP SYN packets and real hacker will definitly use this one to map your network. And of course you are not able to do much against such hacker...
Delrish
Trusted Contributor

Re: howto disable traceroute using IPTABLES ?

You should drop the connection to port number 33434. traceroute uses this port by default.take a look at /etc/services.
g33k
Valued Contributor

Re: howto disable traceroute using IPTABLES ?

TO ALIREZ

pls. read tracert manual 33434 is just initial port.
Let's say I'm 3 hops away from target.(Mean 3 routers, firewalls, whatever Layer 3 device are between me and target).
So 1st UDP packet is ttl=1, ip_adress of target, target port 33434
2nd UDP is ttl=2 ip_adress of target, target port 33435
3rd UDP is ttl=3 ip_adress of target, target port 33436
4th UDP is ttl=3 ip_adress of target, target port 33437

as I said in my first replay default it hop dependent....

anyway I can start on port 53 or if I know hop count from previes tracerout I can start that it ends up on port 53.

ONE WAY TO MAKE YOU NETWORK TRACEROUTE INVISIBLE IS DROP ALL OUTGOING ICMP TIME EXCEEDED MESSAGES.

so our target will reciev UDP packet on port 3346
'chris'
Super Advisor

Re: howto disable traceroute using IPTABLES ?

I'd like to block traceroute only from external.
from internal to external should be allowed.
g33k
Valued Contributor

Re: howto disable traceroute using IPTABLES ?

OK so as I said no ICMP time exceeded messages shuoldn't go out.
It means that UDP packet from source will reach the target, but there will be no answer from you...
Steven E. Protter
Exalted Contributor

Re: howto disable traceroute using IPTABLES ?

Hi again chris,

blocking the icmp traffic on the two afrementioned ports will prevent denial of service attacks.

You can also talk to your ISP and get traceroute stopped more effectively several hops before it gets to you. Many already do this to protect their networks.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
g33k
Valued Contributor

Re: howto disable traceroute using IPTABLES ?

Steven FYI:

See this http://www.networksorcery.com/enp/protocol/icmp.htm

Ports are using only by TCP and UDP...

You can also see man iptables there is also mentioned that prots are using only by TCP and UDP.