traceroute!!! help!!! como bloquear

snakerj · 30-11-2005, 11:48

Queria bloquear o traceroute dos clientes!!!
estou usando no meu firewall essa regra!

iptables -A INPUT -p udp -s 0/0 -i eth+ --dport 33435:33525 -j DROP
iptables -A FORWARD -p udp -s 0/0 -i eth+ --dport 33435:33525 -j DROP
iptables -A INPUT -p udp -s 0/0 -i ppp0 --dport 33435:33525 -j DROP
iptables -A FORWARD -p udp -s 0/0 -i ppp0 --dport 33435:33525 -j DROP

mas ainda estou dando traceroute!!!

Help

**mistymst** · 30-11-2005, 11:58

nao necessariamente usa essas portas, basicamente traceroute pode usar icmp/udp/tcp sao varias tecnicas, bom podemos pegar algumas, do man traceroute do freebsd:

DESCRIPTION
The Internet is a large and complex aggregation of network hardware,
connected together by gateways. Tracking the route one's packets fol-
low (or finding the miscreant gateway that's discarding your packets)
can be difficult. Traceroute utilizes the IP protocol `time to live'
field and attempts to elicit an ICMP TIME_EXCEEDED response from each
gateway along the path to some host.

-I Use ICMP ECHO instead of UDP datagrams. (A synonym for "-P
icmp").

-P Send packets of specified IP protocol. The currently supported
protocols are: UDP, TCP, GRE and ICMP. Other protocols may also
be specified (either by name or by number), though traceroute
does not implement any special knowledge of their packet for-
mats. This option is useful for determining which router along a
path may be blocking packets based on IP protocol number. But
see BUGS below.

-p Protocol specific. For UDP and TCP, sets the base port number
used in probes (default is 33434). Traceroute hopes that noth-
ing is listening on UDP ports base to base + nhops - 1 at the
destination host (so an ICMP PORT_UNREACHABLE message will be
returned to terminate the route tracing). If something is lis-
tening on a port in the default range, this option can be used
to pick an unused port range.

-v Verbose output. Received ICMP packets other than TIME_EXCEEDED
and UNREACHABLEs are listed.

This program attempts to trace the route an IP packet would follow to
some internet host by launching UDP probe packets with a small ttl
(time to live) then listening for an ICMP "time exceeded" reply from a
gateway. We start our probes with a ttl of one and increase by one
until we get an ICMP "port unreachable" (which means we got to "host")
or hit a max (which defaults to net.inet.ip.ttl hops & can be changed
with the -m flag). Three probes (change with -q flag) are sent at each
ttl setting and a line is printed showing the ttl, address of the gate-
way and round trip time of each probe. If the probe answers come from
different gateways, the address of each responding system will be
printed. If there is no response within a 5 sec. timeout interval
(changed with the -w flag), a "*" is printed for that probe.

We don't want the destination host to process the UDP probe packets so
the destination port is set to an unlikely value (if some clod on the
destination is using that value, it can be changed with the -p flag).

acho que isso é basicamente o que voce precisa saber sobre o traceroute e que nao vai ser somente uma linha no iptables que vai bloquear todos os "smart users" que podem dar traceroute, entretanto o ponto vital é mais o primeiro ate o terceiro paragrafo., mas acredito que seja interessante voce ler todos os meus quotes.

snakerj · 06-12-2005, 14:37

Vc tem em comando isso,
vc pode colocar aqui as linhas!???
Irei adicionar no meu firewall.

Postado originalmente por mistymst

nao necessariamente usa essas portas, basicamente traceroute pode usar icmp/udp/tcp sao varias tecnicas, bom podemos pegar algumas, do man traceroute do freebsd:

DESCRIPTION
The Internet is a large and complex aggregation of network hardware,
connected together by gateways. Tracking the route one's packets fol-
low (or finding the miscreant gateway that's discarding your packets)
can be difficult. Traceroute utilizes the IP protocol `time to live'
field and attempts to elicit an ICMP TIME_EXCEEDED response from each
gateway along the path to some host.

-I Use ICMP ECHO instead of UDP datagrams. (A synonym for "-P
icmp").

-P Send packets of specified IP protocol. The currently supported
protocols are: UDP, TCP, GRE and ICMP. Other protocols may also
be specified (either by name or by number), though traceroute
does not implement any special knowledge of their packet for-
mats. This option is useful for determining which router along a
path may be blocking packets based on IP protocol number. But
see BUGS below.

-p Protocol specific. For UDP and TCP, sets the base port number
used in probes (default is 33434). Traceroute hopes that noth-
ing is listening on UDP ports base to base + nhops - 1 at the
destination host (so an ICMP PORT_UNREACHABLE message will be
returned to terminate the route tracing). If something is lis-
tening on a port in the default range, this option can be used
to pick an unused port range.

-v Verbose output. Received ICMP packets other than TIME_EXCEEDED
and UNREACHABLEs are listed.

This program attempts to trace the route an IP packet would follow to
some internet host by launching UDP probe packets with a small ttl
(time to live) then listening for an ICMP "time exceeded" reply from a
gateway. We start our probes with a ttl of one and increase by one
until we get an ICMP "port unreachable" (which means we got to "host")
or hit a max (which defaults to net.inet.ip.ttl hops & can be changed
with the -m flag). Three probes (change with -q flag) are sent at each
ttl setting and a line is printed showing the ttl, address of the gate-
way and round trip time of each probe. If the probe answers come from
different gateways, the address of each responding system will be
printed. If there is no response within a 5 sec. timeout interval
(changed with the -w flag), a "*" is printed for that probe.

We don't want the destination host to process the UDP probe packets so
the destination port is set to an unlikely value (if some clod on the
destination is using that value, it can be changed with the -p flag).

acho que isso é basicamente o que voce precisa saber sobre o traceroute e que nao vai ser somente uma linha no iptables que vai bloquear todos os "smart users" que podem dar traceroute, entretanto o ponto vital é mais o primeiro ate o terceiro paragrafo., mas acredito que seja interessante voce ler todos os meus quotes.

**edmafer** · 06-12-2005, 15:49

Cara setei esta configuração e desta forma eu bloquei os pings, e os tracerts (minha rede interna é M$) para fora.

Código :

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

Tenta ai veja se resolve o seu caso.

Há sim, aqui é Debian Sarge, então pode haver diferenças.

eric_lc · 06-12-2005, 16:05

Um método interessante de bloquear traceroutes é bloquenado pacotes que tenham um TTL baixo. Isso pode ser feito na tabela mangle do iptables.

Faz o seguinte:

iptables -t mangle -I INPUT -m ttl --ttl-lt 20 -j DROP
iptables -t mangle -I FORWARD -m ttl --ttl-lt 20 -j DROP

Isso vai bloquear pacotes com TTL menores que 20 destinados ao seu firewall ou roteados por ele.

**Marcio68Almeida** · 06-12-2005, 16:08

Desculpe a pergunta imbecil...
mas... por que bloquear o traceroute ???

**edmafer** · 06-12-2005, 16:10

Postado originalmente por Marcio68Almeida

Desculpe a pergunta imbecil...
mas... por que bloquear o traceroute ???

Boa.

snakerj · 07-12-2005, 11:04

Pq implantei um condominio e nao coloquei um link dedicado e sim o velox comercial pois é muito mais barato!
Mas nao quero que os clientes saibam que é velox,
se o cliente der um traceroute vai ver que vai pelo veloxzone!

6)

Postado originalmente por Marcio68Almeida

Desculpe a pergunta imbecil...
mas... por que bloquear o traceroute ???

traceroute!!! help!!! como bloquear

Ferramentas de Tópicos