There is a LOT of bogus half-correct information about traceroutes and iptables floating around out there. It took me a bit of sifting through it all to figure out the real deal and the best way to allow traceroutes without negatively impacting security this morning, so here’s some documentation in case I forget before the next time.
Traceroute from Windows machines typically uses ICMP Type 8 packets. Traceroute from Unixlike machines typically uses UDP packets with sequentially increasing destination ports, from 33434 to 33534. So your server (the traceroute destination) must not drop incoming ICMP Type 8 or UDP 33434:33534.
Here’s where it gets tricky: it really doesn’t need to accept those packets either, which the vast majority of sites addressing this issue recommends. It just needs to be able to reject them, which won’t happen if they’re being dropped. If you implement the typical advice – accepting those packets – traceroute basically ends up sort of working by accident: those ports shouldn’t be in use by any running applications, and since nothing is monitoring them, the server will issue an ICMP Type 3 response (destination unreachable). However, if you’re accepting packets to these ports, then a rogue application listening on those ports also becomes reachable – which is the sort of thing your firewall should be preventing in the first place.
The good news is, DROP and ACCEPT aren’t your only options – you can REJECT these packets instead, which will do exactly what we want here: allow traceroutes to work properly without also potentially enabling some rogue application to listen on those UDP ports.
So all you really need on your server to allow incoming traceroutes to work properly is:
# allow ICMP Type 8 (ping, ICMP traceroute) -A INPUT -p icmp --icmp-type 8 -j ACCEPT # enable UDP traceroute rejections to get sent out -A INPUT -p udp --dport 33434:33523 -j REJECT
Note: you may very well need and/or want more ICMP functionality than this in general – but this is all you need for incoming traceroutes to complete properly.