我正在处理传输层中的某些内容,在运行我们的自定义策略以保护策略之后,我无法从linux机器上执行traceroute 。
root@keystone-evm:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere 10.222.4.212 udp dpt:echo ACCEPT udp -- anywhere 10.222.4.212 udp dpt:isakmp ACCEPT udp -- anywhere 10.222.4.212 udp dpt:radius ACCEPT udp -- anywhere 10.222.4.212 udp dpt:ntp ACCEPT icmp -- anywhere 10.222.4.212 ACCEPT udp -- anywhere 10.222.4.212 udp dpt:domain ACCEPT udp -- anywhere 10.222.4.212 udp dpt:bootpc ACCEPT udp -- anywhere 10.222.4.212 udp dpt:bootps ACCEPT 123 -- anywhere 10.222.4.212 DROP all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spts:33434:33524 state NEW,RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- 10.222.4.212 anywhere udp dpt:echo ACCEPT udp -- 10.222.4.212 anywhere udp dpt:isakmp ACCEPT udp -- 10.222.4.212 anywhere udp dpt:radius ACCEPT udp -- 10.222.4.212 anywhere udp dpt:ntp ACCEPT icmp -- 10.222.4.212 anywhere ACCEPT udp -- 10.222.4.212 anywhere udp dpt:domain ACCEPT udp -- 10.222.4.212 anywhere udp dpt:bootpc ACCEPT udp -- 10.222.4.212 anywhere udp dpt:bootps ACCEPT 123 -- 10.222.4.212 anywhere DROP all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpts:33434:33524 state NEW root@keystone-evm:~# traceroute 10.222.4.100 traceroute to 10.222.4.100 (10.222.4.100), 30 hops max, 38 byte packets 1traceroute: sendto: Operation not permitted
下面给出的命令我发布启用traceroute:
iptables -A OUTPUT -o eth0 -p udp --dport 33434:33524 -m state --state NEW -j ACCEPT iptables -A INPUT -p udp --sport 33434:33524 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 首先: iptables -A命令在实际的链结束后添加新的规则。 他们只能在链条中的最后一个规则之后处理。 但是这不会发生, 因为最后的规则已经把所有东西都过滤掉了 ! 您需要将这些命令放在最后一条规则之前 ,这可以使用iptables的-I <n>标志完成。
第二:Traceroute正在发送ICMP数据包,就像ping一样。 它本质上是一个ping,它试图通过发送具有低但增长的数据包TTL字段的数据包来获取到达目标机器的远程networking节点的列表。
我不知道从哪里得到这个udp / 33434的东西。 如果您想要跟踪路由,请启用没有任何端口的ICMP。
第三:(看起来有点反应)看来有时traceroute并不是只使用简单的icmp包,而是udp甚至tcp包。 甚至有一个名为tcptraceroute的工具,它可以通过一个非常好的可configuration的方式完成最后一件事。 如果您不确定,请使用strace或tcpdump检查,traceroute需要实际进行通信,并至less启用此端口。
感谢所有的投入。
我想出了一个shell脚本来为我做这个工作。 我相信这对其他用户来说也是有帮助的。 请注意本地机器IP。 请相应地进行必要的更改。
#!/bin/sh echo "Enabling Traceroute..." #Outbound UDP traffic Policy iptables -I OUTPUT -o eth0 -p udp --dport 33434:33524 -m state --state NEW -j ACCEPT iptables -I INPUT -p udp --sport 33434:33524 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #Inbound ICMP traffic Policy iptables -I INPUT -p icmp --icmp-type 3/3 -d 10.222.4.212 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I INPUT -p icmp --icmp-type 11 -d 10.222.4.212 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
现有的答案都不解释如何允许入站traceroute; 接受的答案甚至没有试图回答这个问题。
我们可以从man 8 traceroute看到:
traceroute希望得到一个“ICMP不可达”消息来响应其查询 同时,微软确认Windows在其实施中使用“ICMP Echo请求” 。
所以,这里是让主机正确处理入站跟踪路由的答案。 追加一个规则,拒绝(不丢弃)UDP端口33434-33474上的stream量,并回复回应请求。
iptables -I INPUT -p udp --dport 33434:33474 -j REJECT iptables -I INPUT -p ICMP --icmp-type echo-request -j ACCEPT
为了logging,从手册页摘录:
LIST OF AVAILABLE METHODS In general, a particular traceroute method may have to be chosen by -M name, but most of the methods have their simple cmdline switches (you can see them after the method name, if present). default The traditional, ancient method of tracerouting. Used by default. Probe packets are udp datagrams with so-called "unlikely" destination ports. The "unlikely" port of the first probe is 33434, then for each next probe it is incre- mented by one. Since the ports are expected to be unused, the destination host nor- mally returns "icmp unreach port" as a final response. (Nobody knows what happens when some application listens for such ports, though). This method is allowed for unprivileged users. icmp -I Most usual method for now, which uses icmp echo packets for probes. If you can ping(8) the destination host, icmp tracerouting is applicable as well. tcp -T Well-known modern method, intended to bypass firewalls. Uses the constant destination port (default is 80, http).