[TriLUG] traceroute works, ping and tcp services don't get through

Michael Hrivnak mhrivnak at hrivnak.org
Fri May 18 16:47:11 EDT 2012


As Alexey said, UDP and ICMP are different protocols.  A big
distinguishing characteristic is that UDP has a concept of ports
(similar to TCP), but ICMP does not.

Everything I described about how traceroute works is stating what the
tool actually does in normal operation, irrespective of your
situation.

Is there any NAT going on between client and server?

Michael

On Fri, May 18, 2012 at 3:11 PM, Joseph Mack NA3T <jmack at wm7d.net> wrote:
> On Fri, 18 May 2012, Michael Hrivnak wrote:
>
>> It may be helpful to better understand what traceroute is doing when
>> client runs traceroute to server.
>
>
> yes ;-)
>
>
>> Packets from client to server are UDP and sent to ports that are unlikely
>> to have an actual service listening on the destination.
>
>
> hmm. I thought they were type ICMP, which is a type of UDP I guess.
>
>
>> Routers along the way, in your case only router2, respond with ICMP type
>> 11 Time Exceeded packets.
>
>
> it's supposed to do this, or this it the way I'm likely to have it setup
> with my firewall rules?
>
>
>> The destination will respond with ICMP type 3 Destination Unreachable,
>> with code 3 Port Unreachable.
>
>
> same question?
>
>
>> The simple firewall tutorial you linked to does some interesting things.
>>  You may want to search your own firewall rules for "--reject-with
>> icmp-host-unreach" and see if you find anything there that would explain
>> some of the behavior you've seen.
>
>
> I haven't changed any of the icmp stuff, since I didn't understand it. I did
> try to pull the icmp stuff out into its own table by
>
> iptables -N ICMP
>
> and then just before the icmp rules doing
>
> iptables -A INPUT -j ICMP
>
> (or something like that) and then -j LOG in the ICMP table to see what was
> happening. However no packets appeared in the ICMP table. I'm still
> scratching my head about this.
>
>
>> It's possible that if a router was responding with ICMP type 3, it could
>> have fooled traceroute into thinking it had reached the destination.
>
>
> thanks. I need to look into this a bit. This is more complicated than I
> thought.
>
> I'm going away for 2 weeks tomorrow, so I won't get to do anything on this
> for a little while.
>
> Thanks
>
>
> Joe
>
> --
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) wm7d (dot) net - azimuthal equidistant map
> generator at http://www.wm7d.net/azproj.shtml
> Homepage http://www.austintek.com/ It's GNU/Linux!
> --
> This message was sent to: Michael Hrivnak <mhrivnak at hrivnak.org>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/mhrivnak%40hrivnak.org
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions



More information about the TriLUG mailing list