如何在linux机器中启用traceroute

Question

我正在处理传输层中的一些内容，在运行自定义策略以保护策略之后，我无法在linux机器上执行traceroute。

root@keystone-evm:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             10.222.4.212         udp dpt:echo
ACCEPT     udp  --  anywhere             10.222.4.212         udp dpt:isakmp
ACCEPT     udp  --  anywhere             10.222.4.212         udp dpt:radius
ACCEPT     udp  --  anywhere             10.222.4.212         udp dpt:ntp
ACCEPT     icmp --  anywhere             10.222.4.212
ACCEPT     udp  --  anywhere             10.222.4.212         udp dpt:domain
ACCEPT     udp  --  anywhere             10.222.4.212         udp dpt:bootpc
ACCEPT     udp  --  anywhere             10.222.4.212         udp dpt:bootps
ACCEPT     123  --  anywhere             10.222.4.212
DROP       all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp spts:33434:33524 state NEW,RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  10.222.4.212         anywhere             udp dpt:echo
ACCEPT     udp  --  10.222.4.212         anywhere             udp dpt:isakmp
ACCEPT     udp  --  10.222.4.212         anywhere             udp dpt:radius
ACCEPT     udp  --  10.222.4.212         anywhere             udp dpt:ntp
ACCEPT     icmp --  10.222.4.212         anywhere
ACCEPT     udp  --  10.222.4.212         anywhere             udp dpt:domain
ACCEPT     udp  --  10.222.4.212         anywhere             udp dpt:bootpc
ACCEPT     udp  --  10.222.4.212         anywhere             udp dpt:bootps
ACCEPT     123  --  10.222.4.212         anywhere
DROP       all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpts:33434:33524 state NEW
root@keystone-evm:~# traceroute 10.222.4.100
traceroute to 10.222.4.100 (10.222.4.100), 30 hops max, 38 byte packets
 1traceroute: sendto: Operation not permitted

下面是我为启用traceroute而发出的命令：

• iptables -A OUTPUT -o eth0 -p udp --dport 33434:33524 -m state --state NEW -j ACCEPT
• iptables -A INPUT -p udp --sport 33434:33524 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Answer 1

感谢所有的投入。

我想出了一个shell脚本来帮我做这件事。我相信这将有助于其他用户也执行这项任务。请注意，本地机器IP。请相应地做必要的修改。

#!/bin/sh
echo "Enabling Traceroute..."

#Outbound UDP traffic Policy

iptables -I OUTPUT -o eth0 -p udp --dport 33434:33524 -m state --state NEW -j ACCEPT

iptables -I INPUT -p udp --sport 33434:33524 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#Inbound ICMP traffic Policy


iptables -I INPUT -p icmp --icmp-type 3/3 -d 10.222.4.212 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -I INPUT -p icmp --icmp-type 11  -d 10.222.4.212 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Answer 2

我们可以从man 8 traceroute中看到：

• UDP是Linux上默认的traceroute机制。
• traceroute希望得到一条"ICMP无法访问“的消息，以响应其查询。
• 跟踪从端口33434开始，每跳增加一次。

同时，微软也证实了Windows使用“ICMP回声请求”在其实现中的作用。

因此，这是允许主机正确处理入站和执行出站跟踪的答案。附加一条规则，在UDP端口33434-33474上拒绝(而不是丢弃)流量，并回复回送请求，如果限制出站通信量，也允许匹配的出站数据包。

# reject (not drop) packets for inbound traceroutes from Linux boxes
iptables -I INPUT -p udp --dport 33434:33474 -j REJECT

# accept ping requests for Windows-style traceroutes
iptables -I INPUT -p ICMP --icmp-type echo-request -j ACCEPT

# allow ping responses for Windows-style traceroutes
iptables -I OUTPUT -p ICMP --icmp-type echo-reply -j ACCEPT

# allow the server to perform its own traceroutes
iptables -I OUTPUT -p udp --dport 33434:33474 -j ACCEPT

为了记录在案，手册页的摘录如下：

LIST OF AVAILABLE METHODS
       In  general,  a  particular traceroute method may have to be chosen by -M name, but
       most of the methods have their simple cmdline switches (you can see them after  the
       method name, if present).

   default
       The traditional, ancient method of tracerouting. Used by default.

       Probe  packets  are udp datagrams with so-called "unlikely" destination ports.  The
       "unlikely" port of the first probe is 33434, then for each next probe it is  incre-
       mented by one. Since the ports are expected to be unused, the destination host nor-
       mally returns "icmp unreach port" as a final response.  (Nobody knows what  happens
       when some application listens for such ports, though).

       This method is allowed for unprivileged users.

   icmp       -I
       Most usual method for now, which uses icmp echo packets for probes.
       If you can ping(8) the destination host, icmp tracerouting is applicable as well.

   tcp        -T
       Well-known modern method, intended to bypass firewalls.
       Uses the constant destination port (default is 80, http).

Answer 3

首先：iptables -A命令在实际链结束后添加新规则。它们只是在你的锁链上最后一条规则之后才被处理。但这不会发生，因为最后一条规则已经把一切都过滤掉了！您需要将这些命令放在最后一个规则之前，这可以使用iptables的-I <n>标志来完成。

第二: Traceroute通过发送ICMP数据包来工作，就像ping一样。它本质上是一个ping，它试图在到达目标计算机的过程中获取远程网络节点的列表，方法是发送具有较低但不断增长的数据包TTL字段的数据包。

我不知道，你从哪里得到了udp/33434这个东西。如果想要traceroute，请启用ICMP，它没有任何端口。

第三：(响应逗号)看起来，有时候traceroute不仅使用简单的icmp数据包，还使用udp甚至tcp数据包。甚至还有一个名为tcptraceroute的工具，它可以以非常好的可配置方式完成最后一件事情。如果您不确定，请使用strace或tcpdump进行检查，您的traceroute希望在其中实际通信，并至少启用此端口。