opened port for tcp/udp using iptables for traceroute, but it still fails, why?

Question

Traceroute to the server fails, this is description of the problem:

root@newTralev ~ # ifconfig 
eth0      Link encap:Ethernet  HWaddr 74:d0:2b:9a:85:74  
          inet addr:176.9.18.37  Bcast:176.9.18.63  Mask:255.255.255.224
root@condor1796 ~ # traceroute --port=33434 176.9.18.37
traceroute to 176.9.18.37 (176.9.18.37), 30 hops max, 60 byte packets
 1  static-ip-209-126-119-1.inaddr.ip-pool.com (209.126.119.1)  0.201 ms static-ip-209-126-119-2.inaddr.ip-pool.com (209.126.119.2)  3.741 ms static-ip-209-126-119-1.inaddr.ip-pool.com (209.126.119.1)  7.516 ms
 2  207.38.80.33 (207.38.80.33)  0.207 ms 207.38.80.37 (207.38.80.37)  0.248 ms  0.262 ms
 3  ae1.stl1-cr-atlas.bb.gdinf.net (207.38.95.5)  5.304 ms  5.304 ms  5.292 ms
 4  stlo-b1-link.telia.net (62.115.165.48)  0.456 ms  0.318 ms stlo-b1-link.telia.net (62.115.165.90)  0.453 ms
 5  chi-b23-link.telia.net (62.115.113.173)  7.864 ms  7.889 ms  7.850 ms
 6  hetzner-ic-340780-nug-b1.c.telia.net (213.248.70.1)  118.777 ms  118.762 ms  118.776 ms
 7  core24.fsn1.hetzner.com (213.239.252.234)  121.918 ms * *
 8  ex9k1.dc6.fsn1.hetzner.com (213.239.229.94)  121.127 ms ex9k1.dc6.fsn1.hetzner.com (213.239.229.90)  121.127 ms  121.059 ms
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
root@condor1796 ~ #

This is iptables -L:

root@newTralev ~ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: sshprobe side: source mask: 255.255.255.255
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW recent: SET name: sshprobe side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             anywhere             tcp dpt:8008 state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
           tcp  --  anywhere             anywhere             tcp dpt:8008 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             anywhere             tcp dpt:https state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
           tcp  --  anywhere             anywhere             tcp dpt:https state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             anywhere             tcp dpt:8181 state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
           tcp  --  anywhere             anywhere             tcp dpt:8181 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             anywhere             tcp dpt:http-alt state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
           tcp  --  anywhere             anywhere             tcp dpt:http-alt state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             anywhere             tcp dpt:http state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
           tcp  --  anywhere             anywhere             tcp dpt:http state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             anywhere             tcp dpt:8008 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP       tcp  --  anywhere             anywhere             tcp dpt:https flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP       tcp  --  anywhere             anywhere             tcp dpt:8181 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP       tcp  --  anywhere             anywhere             tcp dpt:http-alt flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP       tcp  --  anywhere             anywhere             tcp dpt:http flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8181
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8008
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:12301
ACCEPT     udp  --  anywhere             anywhere             udp dpt:12301
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:52444
ACCEPT     udp  --  anywhere             anywhere             udp dpt:52444
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:33434
ACCEPT     udp  --  anywhere             anywhere             udp dpt:33434
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

But hetzner is not supposed to block port 33434, so does anyone understands where is the problem?

Perhaps in my iptables.config file?

My iptables.rules is as the follows:

#!/bin/bash

# ATTENTION: flush/delete all existing rules
iptables -F

################################################################
# set the default policy for each of the pre-defined chains
################################################################
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT

################################################################
#individual ports tcp
################################################################
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8181 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 8008 -j ACCEPT

#dkim on port 12301
iptables -A INPUT -p tcp --dport 12301 -j ACCEPT
iptables -A INPUT -p udp --dport 12301 -j ACCEPT

#port for mtr
iptables -A INPUT -p tcp --dport 52444 -j ACCEPT
iptables -A INPUT -p udp --dport 52444 -j ACCEPT
iptables -A INPUT -p tcp --dport 33434 -j ACCEPT
iptables -A INPUT -p udp --dport 33434 -j ACCEPT



#uncomment next line to enable AdminGUI on port 4848:
#iptables -A INPUT -p tcp --dport 4848 -j ACCEPT

#limit number of connections
iptables -t filter -I INPUT -p tcp --syn --dport 80 -m connlimit  --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 8080 -m connlimit  --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 8181 -m connlimit  --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 443 -m connlimit  --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 8008 -m connlimit  --connlimit-above 20 --connlimit-mask 32 -j DROP

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 8080 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 8080 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 8181 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 8181 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 8008 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 8008 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP



################################################################
#slow down the amount of ssh connections by the same ip address:
#wait 60 seconds if 3 times failed to connect
################################################################
iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --set -j ACCEPT
iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --update --seconds 60 --hitcount 3 --rttl -j DROP

#drop everything else
iptables -A INPUT -j DROP
################################################################
#Redirection Rules
################################################################
#1. redirection rules (allowing forwarding from localhost)
iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -o lo -p tcp --dport 443 -j REDIRECT --to-port 8181

#2. redirection http
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

#3. redirection https
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8181
################################################################
#save the rules somewhere and make sure
#our rules get loaded if the ubuntu server is restarted
################################################################
iptables-save > /etc/my-iptables.rules
iptables-restore < /etc/my-iptables.rules
#List Rules to see what we have now
iptables -L

Thank you!

score 0 · Answer 1 · answered Dec 15 '20 at 09:45

In any strange network problem run the tcpdump. It captures the packets before iptables.
By default the traceroute used the UDP probes with start port number 33434, incremented by 1 for every next probe. Because your host isn't the first, you should allow some next port numbers. For example, 32. So, rule for traceroute should be looks like:

iptables -t filter -I INPUT -p udp --dport 33434:33468 -j ACCEPT

Also I think you should allow incoming ICMP packets. Except the traceroute in the ICMP probes mode, ICMP is required for PMTUD (Path MTU Discovery), so block it completely isn't a good idea.

opened port for tcp/udp using iptables for traceroute, but it still fails, why?

1 Answers1