I've installed SolusVM as a Master server that will host OpenVZ containers on a fresh install of CentOS 6.6

What i am now noticing is that if i traceroute one of my containers IP addresses i see the host node's IP address as the hop right before the containers IP.


6     39      45      49      -  
7     38      39      39     hostnode.com  <===== HostNode
8     38      38      38     container.com  <===== OpenVZ Container

What i want to know is there any way i can stop the host node from appearing in traceroutes ?

I know i can set "net.ipv4.conf.icmp_echo_ignore_all = 1" in "/etc/sysctl.conf" but it is my understanding that this will only stop ping responses and not traceroutes.

I'm primarily concerned about an attacker being able to see and DDOS my Host Node IP which would cause all containers to go offline. My ISP will nullroute any IPs that gets attacked and while having a single containers IP null routed is not a huge deal i need to make sure that my host node does not get attacked to cause downtime on all containers.

My desired outcome would be either my host node not appearing in the traceroute at all or just timeout completely, i just need a point in the right direction.

Elliot B.
  • 1,316
  • 2
  • 18
  • 28
  • 202
  • 2
  • 12

1 Answers1


The traffic from your VMs to the public internet must be routed through the interface of the host node so there is no way to completely remove the parent node as a hop in the traceroute results.

However, you can use iptables on the parent node to block outbound ICMP packets. This will hide the IP address of your parent node in the traceroute results -- appearing only as request timed out in the traceroute results.

Run these commands as root on your OpenVZ node:

iptables -A OUTPUT -p icmp  --icmp-type 0 -j DROP
iptables -A OUTPUT -p icmp  --icmp-type 8 -j DROP
iptables -A OUTPUT -p icmp  --icmp-type 11 -j DROP
iptables -A OUTPUT -p icmp  --icmp-type 30 -j DROP
Elliot B.
  • 1,316
  • 2
  • 18
  • 28