Traceroutes time out after turning on an iptables firewall

On many of the firewalls that I administer, the machine fails to respond to a traceroute. The traceroute would get the entire way to the host, and then fail to respond when it hit the host. I have messed with this on and off for a while, and finally came up with the problem and a solution.

First, I tried to make sure that the firewall was open to receive ICMP packets. I use these command to permit a few specific ICMP types:

## Accept ICMP Echo-Reply, Echo-Request, and Time-Exceeded packets
iptables -A INPUT -s 0/0 -d 0/0 -p icmp –icmp-type 0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -p icmp –icmp-type 8 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -p icmp –icmp-type 11 -j ACCEPT

However, just enabling those didn’t allow traceroutes to work correctly. There is also an ICMP type 30 for traceroute, but enabling that never got it working for me

So, I had to dig a little deeper into how traceroute works. What it does, is send a UDP packet to a port that it doesn’t expect to be open. The host then should send an ICMP ‘Unreachable’ packet back to the originating machine.

Turns out that the firewall rules that I was using blocked all incoming UDP requests (unless they were specifically allowed). This made it so that the machine never received the UDP request because the firewall blocked it.

Most traceroute implementations start sending requests on UDP port 33441, and then increment the port number sequentially for each one that it sends out. So I added this firewall rule to allow these packets through:

## Allow traceroutes, which send a packet to a UDP port in this general range
iptables -A INPUT -s 0/0 -p udp –destination-port 33441:33500 -j ACCEPT

Now those UDP packets get accepted and the machine properly replies with the ICMP packet like it should.

2 thoughts on “Traceroutes time out after turning on an iptables firewall”

  1. Good post Brandon…

    Does this rule you added open the ports specified for udp or just effectively allow communication to them, but keeping them closed?

    ## Allow traceroutes, which send a packet to a UDP port in this general range
    iptables -A INPUT -s 0/0 -p udp –destination-port 33441:33500 -j ACCEPT

  2. The rule just stops the firewall from dropping the packets before they get to the kernel. Since there is nothing listening on the ports, it will then reply with the ICMP ‘port unreachable’ packet as it normally would.

Leave a Reply

Your email address will not be published.