Get Traceroue To Work with Iptables
So I was trying to use trace route to diagnose why my some DNS problems but it was timing out.
As you may know I am using CloudFlare for DNS hosting and other things. Any way may traceroute worked OK with my CloudFlare enabled sites but when I tried my newly setup Ubuntu server (which is not using the CloudFlare network, see my article Sky Broadband Blocks CloudFlare CDN) it failed.
I figured the problem must be a firewall issue as the server was accessible via ping. A quick look around and look into my iptables rules and a search on google found the problem. My rules for ping where:-
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
which was fine to allow ping but traceroute uses UDP with a port range from 33434 to 33534. So the server must not drop icmp type 8 or UDP 33434:33534. For traceroute to work we also don't need accept the packet we can reject them and it still will work, so our new rules will be:
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p udp --dport 33434:33523 -j REJECT
now our trace route will work properly. Hope it helps
These ports should not be in use by any other application