HPE Community
Operating System - Linux
1822549 Members
3034 Online
109642 Solutions
New Discussion юеВ

howto disable traceroute using IPTABLES ?

 
SOLVED
Go to solution
'chris'
Super Advisor

тАО08-15-2006 11:28 AM

тАО08-15-2006 11:28 AM

howto disable traceroute using IPTABLES ?

hi

on my ipsec gateway (debian stable) I have the following firewall script:

#!/bin/sh

EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.114.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="10.20.0.0/8"
IPTABLES="/sbin/iptables"

$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -F
$IPTABLES -X

# in case of stop

#case $1 in

# stop )

#$IPTABLES -P INPUT ACCEPT
#$IPTABLES -P FORWARD ACCEPT
#$IPTABLES -P OUTPUT ACCEPT

#exit0

#;;

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT


# Public Networks
$IPTABLES -A INPUT -s 202.X.X.0/28 -j ACCEPT

# Allowed Services
$IPTABLES -A INPUT -p tcp -m multiport --dport 80,443 -i eth0 -j ACCEPT

# Allow DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

# Allow FTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

# Allow SSH
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow access from LAN
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to 202.X.X.10

# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN

$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i eth1 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT

# Allow loopback-device
$IPTABLES -A INPUT -i lo -j ACCEPT

# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP




howto add additional IPTABLES entry to disable traceroute ?

kind regards
chris
0 Kudos
Reply
12 REPLIES 12
Alexander Samad
Frequent Advisor

тАО08-15-2006 01:50 PM

тАО08-15-2006 01:50 PM

Solution

Re: howto disable traceroute using IPTABLES ?

Hi

you do not need

$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT

as related or established packet never make it to the nat table again after the inital packet.

if memory serves me correctly tracert is done by setting the ttl of each packet to 1 then to 2 etc etc and each router on the path send back an icmp (not sure which one) to advise the packet died in transit.

You could filter out the outbound packets, but there are tcp tracert programs and of course udp (this is the default type ). haven't read the rfc lately to remember if there is a predefined port so you could block outbound UDP. You could just block all outbound UDP, except for the ones you want like 53

The other approach is to block the return information, the icmp.

All depends on why your trying to block it.

But basic firewall primciple, block all and only specifically allow what you want.


Reply
Steven E. Protter
Exalted Contributor

тАО08-15-2006 04:58 PM

тАО08-15-2006 04:58 PM

Re: howto disable traceroute using IPTABLES ?

Shalom,

Block ports 8 and 11 and ping and traceroute will no longer work.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
g33k
Valued Contributor

тАО08-15-2006 07:49 PM

тАО08-15-2006 07:49 PM

Re: howto disable traceroute using IPTABLES ?

as Alex already said...

traceroute sends UDP packets with ttl=1 to get first layer3 device on route ttl=2 to get second and and so one to the target, because of ttl=0 on device device will send back ICMP message time exceeded(I don't remember the code but google surely knows). Becuase of UDP packets there need to be specified port(default is 33434) for first outgoing packet and increments(+1)others so last packet is is going to port 33434+hop_count-1. Ofcourse you can use -p 53 to start on port 53, newer version have also some option to not increment, so all traceroute packets will go on port 53(which is DNS and it's not good idea to block this port).
All this is valid for tracert(unix traceroute).
Windows traceroute do the same but do use ICMP packets instead of UDP. So for windows traceroute just block ICMP.
Unix tracert have also option -I which force tracert to send ICMP, but as I said default is UDP.

I hope this information will help you to do the best rules you need.

Also rememebre that there is tcptraceroute utility which is using TCP SYN packets and real hacker will definitly use this one to map your network. And of course you are not able to do much against such hacker...
Reply
Delrish
Trusted Contributor

тАО08-15-2006 08:34 PM

тАО08-15-2006 08:34 PM

Re: howto disable traceroute using IPTABLES ?

You should drop the connection to port number 33434. traceroute uses this port by default.take a look at /etc/services.
Reply
g33k
Valued Contributor

тАО08-15-2006 09:53 PM

тАО08-15-2006 09:53 PM

Re: howto disable traceroute using IPTABLES ?

TO ALIREZ

pls. read tracert manual 33434 is just initial port.
Let's say I'm 3 hops away from target.(Mean 3 routers, firewalls, whatever Layer 3 device are between me and target).
So 1st UDP packet is ttl=1, ip_adress of target, target port 33434
2nd UDP is ttl=2 ip_adress of target, target port 33435
3rd UDP is ttl=3 ip_adress of target, target port 33436
4th UDP is ttl=3 ip_adress of target, target port 33437

as I said in my first replay default it hop dependent....

anyway I can start on port 53 or if I know hop count from previes tracerout I can start that it ends up on port 53.

ONE WAY TO MAKE YOU NETWORK TRACEROUTE INVISIBLE IS DROP ALL OUTGOING ICMP TIME EXCEEDED MESSAGES.

so our target will reciev UDP packet on port 3346
Reply
'chris'
Super Advisor

тАО08-15-2006 10:41 PM

тАО08-15-2006 10:41 PM

Re: howto disable traceroute using IPTABLES ?

I'd like to block traceroute only from external.
from internal to external should be allowed.
0 Kudos
Reply
g33k
Valued Contributor

тАО08-15-2006 11:20 PM

тАО08-15-2006 11:20 PM

Re: howto disable traceroute using IPTABLES ?

OK so as I said no ICMP time exceeded messages shuoldn't go out.
It means that UDP packet from source will reach the target, but there will be no answer from you...
Reply
Steven E. Protter
Exalted Contributor

тАО08-16-2006 01:55 AM

тАО08-16-2006 01:55 AM

Re: howto disable traceroute using IPTABLES ?

Hi again chris,

blocking the icmp traffic on the two afrementioned ports will prevent denial of service attacks.

You can also talk to your ISP and get traceroute stopped more effectively several hops before it gets to you. Many already do this to protect their networks.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
g33k
Valued Contributor

тАО08-16-2006 02:04 AM

тАО08-16-2006 02:04 AM

Re: howto disable traceroute using IPTABLES ?

Steven FYI:

See this http://www.networksorcery.com/enp/protocol/icmp.htm

Ports are using only by TCP and UDP...

You can also see man iptables there is also mentioned that prots are using only by TCP and UDP.

Reply
'chris'
Super Advisor

тАО08-16-2006 03:32 AM

тАО08-16-2006 03:32 AM

Re: howto disable traceroute using IPTABLES ?

sorry for the wrong information and thanks to all.

the traceroute will be blocked with this firewall script, because ICMP is blocked.

the traceroute works only to my default gateway.
I'll contact the provider to prevent that.
0 Kudos
Reply
'chris'
Super Advisor

тАО08-16-2006 11:12 AM

тАО08-16-2006 11:12 AM

Re: howto disable traceroute using IPTABLES ?

maybe for a little be more security,
I should add a rule that sends ICMP Type 11 (time exceeded) packets to DROP...
there's also some traceroutes that use UDP instead of ICMP

knows someone how it should work and can post a code pls ?
0 Kudos
Reply
g33k
Valued Contributor

тАО08-16-2006 07:12 PM

тАО08-16-2006 07:12 PM

Re: howto disable traceroute using IPTABLES ?

$IPTABLES -A OUTPUT -i $EXT_IF -p ICMP --icmp-type 11 -j DROP

this rules should drop all outgoing ICMP time exceed packet.

firewall than will act like this no matter what source station OS have (No matter if it use TCP packets, UDP or ICMP), it will get the packet form source but will not send ICMP time exceeded back to source.

so on traceroute out put there wil be something like this

attacker gate way
his ISP gateway
some routers in internet
your ISP gateway
some of your ISP routers
your firewall(but insted of your firewall there will be just some astersik)

if you ask your ISP to block ICMP 11 message it will be more better, like this

attacker gate way
his ISP gateway
some routers in internet
*** *** ***
*** *** ***
*** *** ***

so attacker don't know the route through your ISP network
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.