You could pass all needed traffic and block the rest via sound firewall rules.
In that case, traceroute will be of no use for hacking.
But you can block it, of course.
Just that YOU won't be able to use it either.
Speaking of customers: If you provide them with real IP addresses, then a customer would expect to have full access to/from his IP, including traceroute and ping from the outside. If the customer wants, he still can block ping/traceroute at his endpoint.
If those addresses are NAT-ed, then it doesn't matter since you can not trace anything from the outside past the router. But from the inside, one still expects traceroute to work.
The only thing worth blocking is port 25 (SMTP) in both directions and offering a local SMTP server for mail sending, thus preventing unwanted direct spamming by malicious software. Of course with an option to opt-out of the blocking, if one needs to run his own mail server.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.