What is my solution to allow traceroutes into my network?
If the traceroute uses UDP packets, it mostly selects a random destination UDP port and you can't really do anything to make it work if you don't want to open up just everything.
If traceroute uses TCP packets (there's a
tcptraceroute in linux), then it will display the whole path like this:
# tcptraceroute www.cnn.com 443
Selected device eno1.42, address 192.168.42.10, port 35079 for outgoing packets
Tracing the path to www.cnn.com (151.101.13.67) on TCP port 443 (https), 30 hops max
1 [redacted hop A]
2 [redacted hop B]
3 [redacted hop C]
4 80.156.163.65 16.739 ms 16.738 ms 16.834 ms
5 80.157.130.14 16.511 ms 16.283 ms 16.339 ms
6 151.101.13.67 [open] 16.544 ms 16.534 ms 16.327 ms
and compare it to UDP traceroute:
# traceroute www.cnn.com
traceroute to turner-tls.map.fastly.net (151.101.13.67), 64 hops max
1 [redacted hop A]
2 [redacted hop B]
3 [redacted hop C]
4 80.156.163.65 16.902ms 16.807ms 17.045ms
5 * * *
It doesn't show any hop further. So it seems that node at hop #5 is filtering traffic (either statefull firewall or, more likely, stateless firewall).
And compare it to ICMP traceroute:
# traceroute -I www.cnn.com
traceroute to turner-tls.map.fastly.net (151.101.13.67), 64 hops max
1 [redacted hop A]
2 [redacted hop B]
3 [redacted hop C]
4 80.156.163.65 16.688ms 16.709ms 16.480ms
5 80.157.130.14 17.749ms 16.279ms 16.305ms
6 151.101.13.67 16.651ms 16.269ms 16.282ms
When you traceroute a firewalled and NATed address, then UDP traceroute will stop at firewall's address ... either without a reply if firewall filter rule uses
action=drop or with reply (but with flag H! meaning probes are hitting firewall) if firewall filter rule uses
action=reject. ICMP traceroute will behave similarly. TCP traceroute, however, will pass the firewall if the dst-port is forwarded and traceroute will show replies seemingly coming from same address:
# tcptraceroute <firewalled FQDN> 443
Selected device eno1.42, address 192.168.42.10, port 35079 for outgoing packets
Tracing the path to <firewalled FQDN> (<redacted DST address>) on TCP port 443 (https), 30 hops max
1 [redacted hop A]
2 [redacted hop B]
3 [redacted hop C]
4 88.200.2.182 4.978 ms 2.097 ms 0.482 ms
5 91.220.194.114 0.974 ms 0.903 ms 1.868 ms
6 <redacted intermediate hop> 2.376 ms 1.508 ms 2.288 ms
7 <redacted DST address> 1.286 ms 1.336 ms 1.234 ms
8 <redacted DST address> [open] 1.515 ms 1.990 ms 2.154 ms
Note the last hop, which returns from same IP address as hop earlier, but says [open] because it's hitting the actual server (behind NAT firewall) which is replying on port 443 ...