How to Fix “traceroute send: Operation not permitted” Error in Linux with iptables Rules


2 views

When attempting to trace network routes using traceroute, many Linux administrators encounter the frustrating send: Operation not permitted error. This typically occurs when security systems like iptables or CSF (ConfigServer Firewall) block the outgoing UDP packets that traceroute relies on.

traceroute works by sending UDP packets with increasing TTL values. Modern Linux security configurations often include strict firewall rules that prevent these special-case packets. The moment you disable iptables (service iptables stop), traceroute starts working - which perfectly demonstrates the root cause.

# This fails when iptables is active:
traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
send: Operation not permitted

To maintain security while allowing traceroute functionality, add these specific rules to your iptables configuration:

iptables -A OUTPUT -p udp --dport 33434:33534 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

If you're using CSF which keeps overwriting your rules, you need to:

  1. Edit /etc/csf/csf.conf
  2. Find the TCP_OUT and UDP_OUT sections
  3. Add the port range: 33434:33534
  4. Restart CSF: csf -r

After implementing these changes, verify with:

iptables -L -n -v | grep 33434
traceroute -n 8.8.8.8

You should now see proper route tracing without permission errors, while maintaining your system's security posture.

The "send: Operation not permitted" error in traceroute typically occurs when your firewall (iptables/CSF) blocks UDP packets used by traceroute for probing network paths. Traceroute normally uses UDP ports 33434-33534 by default.

To confirm this is a firewall issue:

sudo service iptables stop
traceroute example.com
# If it works now, firewall is the culprit

Add these rules to your iptables configuration:

sudo iptables -A INPUT -p udp --dport 33434:33534 -j ACCEPT
sudo iptables -A OUTPUT -p udp --sport 33434:33534 -j ACCEPT

For IPv6 (if needed):

sudo ip6tables -A INPUT -p udp --dport 33434:33534 -j ACCEPT
sudo ip6tables -A OUTPUT -p udp --sport 33434:33534 -j ACCEPT

If you're using CSF and find your rules getting overwritten:

# Edit CSF configuration
sudo nano /etc/csf/csf.conf

# Find and modify these settings:
UDP_IN = "33434:33534"
UDP_OUT = "33434:33534"

# Then restart CSF
sudo csf -r

If you can't modify firewall rules, consider using TCP-based traceroute:

sudo traceroute -T example.com

Or ICMP-based (requires root):

sudo traceroute -I example.com

If rules keep getting reset:
1. Check for other firewall services running (ufw, firewalld)
2. Verify CSF's configuration interval (LF_PARSE in csf.conf)
3. Look for competing firewall management tools

After implementing changes:

sudo iptables -L -n | grep 33434
sudo traceroute -n 8.8.8.8