I had to do a traceroute yesterday and realized my iptables rules were preventing it. traceroute www.google.com gave me 30 hops of * * *; useless data.
It seemed like a simple problem with a simple solution, but since I didn’t find the simple solution as easily as I’d hoped, I thought I would echo it here. In my case, I was able to perform traceroutes by adding these rules to my INPUT chain:
-A INPUT –proto icmp –icmp-type destination-unreachable -j ACCEPT
-A INPUT –proto icmp –icmp-type time-exceeded -j ACCEPT
-A INPUT–proto icmp –icmp-type echo-reply -j ACCEPT
-A INPUT–proto icmp –icmp-type echo-request -j ACCEPT
Note that, in my case, I ACCEPT all OUTPUT, so outbound conversation was never a problem, only inbound. I’m fairly certain the rule that actually fixed my problem was the third, which allows echo-reply packets to come in.