If your running iptables most likely your default INPUT policy will be DROP its easy enough to allow most things through and to allow basic pinging to be performed against the server etc.

However traceroute can be a bit more of a problem to allow since if traceroute is being performed using UDP you need to stop the packets going to a wide range of ports from being dropped. Since you really don’t want to open up all the ports it requires most people just leave it and that means you can only traceroute using ICMP.

The best way I have found to get around this is to just set a REJECT on the port range no need for an ACCEPT and everything works fine.

sudo iptables -A INPUT -i eth0 -p udp -m udp --dport 33434:33523 -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
Share this post


  1. Hi,
    I’m very surprised you can REJECT the packets… do you have any idea how it can work?
    Anyway it works fine, thanks for the tip!

  2. Oh by the way I also opened ports 44450 to 44500 in order to allow tracepath (a clone of traceroute that doesn’t require root access). I wonder what ports we should really open (are there many tools like that which all have their own ports?)

    sudo iptables -A INPUT -p udp -m udp –dport 44450:44500 -m state –state NEW -j REJECT –reject-with icmp-port-unreachable

  3. Has a traceroute issue to a few server I could traceroute out but not back to them.
    This fixed it.
    This was also causing a problem with a server out there not accepting emails from my server, we will see if this fixes this as well. I thinking they were doing a traceroute home to make sure I really existed before accepting my emails.

  4. […] para geeks: En algún lugar, vi que usaban el target  ”REJECT –reject-with  icmp-port-unreachable”, con el […]

Leave a Reply

CAPTCHA (required) Time limit is exhausted. Please reload CAPTCHA.