使用 iptables 进行 traceroute 时打开了 tcp/udp 端口​​，但仍然失败，为什么？

跟踪路由到服务器失败，这是问题的描述：

root@newTralev ~ # ifconfig 
eth0      Link encap:Ethernet  HWaddr 74:d0:2b:9a:85:74  
          inet addr:176.9.18.37  Bcast:176.9.18.63  Mask:255.255.255.224
root@condor1796 ~ # traceroute --port=33434 176.9.18.37
traceroute to 176.9.18.37 (176.9.18.37), 30 hops max, 60 byte packets
 1  static-ip-209-126-119-1.inaddr.ip-pool.com (209.126.119.1)  0.201 ms static-ip-209-126-119-2.inaddr.ip-pool.com (209.126.119.2)  3.741 ms static-ip-209-126-119-1.inaddr.ip-pool.com (209.126.119.1)  7.516 ms
 2  207.38.80.33 (207.38.80.33)  0.207 ms 207.38.80.37 (207.38.80.37)  0.248 ms  0.262 ms
 3  ae1.stl1-cr-atlas.bb.gdinf.net (207.38.95.5)  5.304 ms  5.304 ms  5.292 ms
 4  stlo-b1-link.telia.net (62.115.165.48)  0.456 ms  0.318 ms stlo-b1-link.telia.net (62.115.165.90)  0.453 ms
 5  chi-b23-link.telia.net (62.115.113.173)  7.864 ms  7.889 ms  7.850 ms
 6  hetzner-ic-340780-nug-b1.c.telia.net (213.248.70.1)  118.777 ms  118.762 ms  118.776 ms
 7  core24.fsn1.hetzner.com (213.239.252.234)  121.918 ms * *
 8  ex9k1.dc6.fsn1.hetzner.com (213.239.229.94)  121.127 ms ex9k1.dc6.fsn1.hetzner.com (213.239.229.90)  121.127 ms  121.059 ms
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
root@condor1796 ~ # 

这是 iptables -L：

root@newTralev ~ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: sshprobe side: source mask: 255.255.255.255
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW recent: SET name: sshprobe side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             anywhere             tcp dpt:8008 state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
           tcp  --  anywhere             anywhere             tcp dpt:8008 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             anywhere             tcp dpt:https state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
           tcp  --  anywhere             anywhere             tcp dpt:https state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             anywhere             tcp dpt:8181 state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
           tcp  --  anywhere             anywhere             tcp dpt:8181 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             anywhere             tcp dpt:http-alt state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
           tcp  --  anywhere             anywhere             tcp dpt:http-alt state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             anywhere             tcp dpt:http state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
           tcp  --  anywhere             anywhere             tcp dpt:http state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             anywhere             tcp dpt:8008 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP       tcp  --  anywhere             anywhere             tcp dpt:https flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP       tcp  --  anywhere             anywhere             tcp dpt:8181 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP       tcp  --  anywhere             anywhere             tcp dpt:http-alt flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP       tcp  --  anywhere             anywhere             tcp dpt:http flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8181
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8008
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:12301
ACCEPT     udp  --  anywhere             anywhere             udp dpt:12301
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:52444
ACCEPT     udp  --  anywhere             anywhere             udp dpt:52444
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:33434
ACCEPT     udp  --  anywhere             anywhere             udp dpt:33434
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

但是 hetzner 不应该阻止端口 33434，所以有人知道问题出在哪里吗？

也许在我的 iptables.config 文件中？

我的iptables.rules如下：

#!/bin/bash

# ATTENTION: flush/delete all existing rules
iptables -F

################################################################
# set the default policy for each of the pre-defined chains
################################################################
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT

################################################################
#individual ports tcp
################################################################
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8181 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 8008 -j ACCEPT

#dkim on port 12301
iptables -A INPUT -p tcp --dport 12301 -j ACCEPT
iptables -A INPUT -p udp --dport 12301 -j ACCEPT

#port for mtr
iptables -A INPUT -p tcp --dport 52444 -j ACCEPT
iptables -A INPUT -p udp --dport 52444 -j ACCEPT
iptables -A INPUT -p tcp --dport 33434 -j ACCEPT
iptables -A INPUT -p udp --dport 33434 -j ACCEPT



#uncomment next line to enable AdminGUI on port 4848:
#iptables -A INPUT -p tcp --dport 4848 -j ACCEPT

#limit number of connections
iptables -t filter -I INPUT -p tcp --syn --dport 80 -m connlimit  --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 8080 -m connlimit  --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 8181 -m connlimit  --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 443 -m connlimit  --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 8008 -m connlimit  --connlimit-above 20 --connlimit-mask 32 -j DROP

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 8080 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 8080 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 8181 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 8181 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 8008 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 8008 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP



################################################################
#slow down the amount of ssh connections by the same ip address:
#wait 60 seconds if 3 times failed to connect
################################################################
iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --set -j ACCEPT
iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --update --seconds 60 --hitcount 3 --rttl -j DROP

#drop everything else
iptables -A INPUT -j DROP
################################################################
#Redirection Rules
################################################################
#1. redirection rules (allowing forwarding from localhost)
iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -o lo -p tcp --dport 443 -j REDIRECT --to-port 8181

#2. redirection http
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

#3. redirection https
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8181
################################################################
#save the rules somewhere and make sure
#our rules get loaded if the ubuntu server is restarted
################################################################
iptables-save > /etc/my-iptables.rules
iptables-restore < /etc/my-iptables.rules
#List Rules to see what we have now
iptables -L

谢谢你！