[TriLUG] traceroute works, ping and tcp services don't get through

Michael Hrivnak mhrivnak at hrivnak.org
Fri May 18 14:20:26 EDT 2012


It may be helpful to better understand what traceroute is doing when
client runs traceroute to server.

If you were using the "traceroute" utility, its default mode does this:

Packets from client to server are UDP and sent to ports that are
unlikely to have an actual service listening on the destination.

Routers along the way, in your case only router2, respond with ICMP
type 11 Time Exceeded packets.

The destination will respond with ICMP type 3 Destination Unreachable,
with code 3 Port Unreachable.

The simple firewall tutorial you linked to does some interesting
things.  You may want to search your own firewall rules for
"--reject-with icmp-host-unreach" and see if you find anything there
that would explain some of the behavior you've seen.  It's possible
that if a router was responding with ICMP type 3, it could have fooled
traceroute into thinking it had reached the destination.

Michael

On Fri, May 18, 2012 at 1:28 PM, Joseph Mack NA3T <jmack at wm7d.net> wrote:
> On Fri, 18 May 2012, Seva Adari wrote:
>
>> Just a wild guess: May be your router2 is configured to block icmp
>> outound!
>
>
> Sounds possible. My firewall rules started with a standard set of rules
> which I downloaded
>
> https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall
>
> I remember the router rules allow inbound icmp type 8, but no other inbound
> icmp. I don't know why he chose this, but he did and until I had good reason
> otherwise, I was going to follow his example. traceroute is icmp type 11 and
> presumably is blocked.
>
>
>> Once inbound is allowed, it is unusual to block the response packets, but
>> I believe it is doable.
>
>
> you can do anything with iptables ;-\, including stuff you don't realise
>
> Let me go check it.
>
>
> Joe
>
> --
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) wm7d (dot) net - azimuthal equidistant map
> generator at http://www.wm7d.net/azproj.shtml
> Homepage http://www.austintek.com/ It's GNU/Linux!
> --
> This message was sent to: Michael Hrivnak <mhrivnak at hrivnak.org>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/mhrivnak%40hrivnak.org
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions



More information about the TriLUG mailing list