On Friday 22 Feb 2013 15:51:54 Tanstaafl wrote:
> Hi all,
> 
> Weird, I don't use it much, but needed to run a traceroute today, and it
> is failing with:
> 
>   # traceroute 192.168.1.4
> traceroute to 192.168.1.4 (192.168.1.4), 30 hops max, 60 byte packets
> send: Operation not permitted
> 
> I know the problem is in my firewall, because when I stop it,
> traceroutes work as expected.
> 
> I have allowed all ICMP in my firewall:
> 
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> <snip>
> ACCEPT     icmp --  anywhere             anywhere             icmp any
> <snip>
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ACCEPT     icmp --  anywhere             anywhere             icmp any
> 
> Chain OUTPUT (policy DROP)
> target     prot opt source               destination
> <snip>
> ACCEPT     icmp --  anywhere             anywhere             icmp any
> 
> Any ideas what I'm missing?
> 
> I can send all of my firewall rules privately if someone thinks I may
> have something that is dropping these packets before my ALLOW rule kicks
> in, but I'm fairly sure I have them right...
> 
> Thanks

I don't know how 'clever' your firewall script is (if indeed you are using a 
script) and it interferes with your sysctl settings.

Search for things like:

net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1


Alternatively, do you have another rule that denies connections from private 
address space on the particular interface?
-- 
Regards,
Mick