Re: traceroute error !<10>

From: Alexander Dalloz (ad+lists_at_uni-x.org)
Date: 11/28/04

  • Next message: François Patte: "Re: inable to found th dhcpd.conf file" 
    To: For users of Fedora Core releases <fedora-list@redhat.com>
Date: Sun, 28 Nov 2004 05:52:51 +0100

    Am So, den 28.11.2004 schrieb Alexander Dalloz um 5:30:

    > See following older thread about exact the same:
    >
    > http://marc.theaimsgroup.com/?l=fedora-list&m=107334879017683&w=2
    >
    > Especially notice the reply by Bevan Bennett who made the best attempts
    > to find the reason for that traceroute behaviour.

    It is clearly the default Fedora firewall (iptables) setup which causes
    this traceroute output. Following I show the states when tracerouting
    from my one Fedora Core host (no iptables rules active) with IP
    192.168.0.2 to the FC3 host with default iptables setup and then changed
    one which has IP 192.168.0.3. Both connected through a switch.

    A) FC3 host has default iptables setup active:

    $ traceroute 192.168.0.3
    traceroute to 192.168.0.3 (192.168.0.3), 30 hops max, 38 byte packets
     1 bartleby (192.168.0.3) 0.640 ms !<10> 4.046 ms !<10> 3.437 ms
    !<10>

    $ cat /etc/sysconfig/iptables
    # Firewall configuration written by system-config-securitylevel
    # Manual customization of this file is not recommended.
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
    -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
    -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
    ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
    ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
    ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
    ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j
    ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
    ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    COMMIT

    From above you see that new incoming UDP packages are rejected by the
    final rule with icmp-host-prohibited which is exactly what !<10> from
    traceroute is telling us.

    B) changed iptables on target host by allowing new UDP packets

    iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -j
    ACCEPT

    $ traceroute 192.168.0.3
    traceroute to 192.168.0.3 (192.168.0.3), 30 hops max, 38 byte packets
     1 bartleby (192.168.0.3) 4.562 ms 0.627 ms 0.334 ms

    You see the difference? So the reason for your observation is cleared.
    Btw. the ICMP unreachable code does not stand for "router solicitation".
    You looked up the wrong one.

    http://www.iana.org/assignments/icmp-parameters

    What traceroute prints out is type 3 with code 10 which stands for
    "Communication with Destination Host is Administratively Prohibited".

    What you can do now is either live with that situation or to allow
    specific UDP INPUT packages which have the state new. Depends on your
    local environment whether an iptables adjustment is reasonable.

    Alexander 

    -- 
Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp 
Serendipity 05:51:52 up 8 days, 39 users, load average: 1.02, 0.94, 0.93



    


    -- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: François Patte: "Re: inable to found th dhcpd.conf file"

    Relevant Pages

    • Re: traceroute error !<10>
      ... >> to find the reason for that traceroute behaviour. ... > It is clearly the default Fedora firewall (iptables) setup which causes ... > from my one Fedora Core host with IP ... > From above you see that new incoming UDP packages are rejected by the ...
      (Fedora)
    • Re: hotmail is blocked on my computer and I dont know how or why
      ... Do a traceroute: ... some login.passport.net host probably back in the USA)! ... their server is up but it is unreachable by me. ... A reverse DNS lookup on each IP address returns ...
      (microsoft.public.windowsxp.general)
    • Re: Persistant URL problem
      ... Can you do a traceroute from your computer to your web ... Tracing route to www.finitesite.com ... That might indicate that host you go through has a problem whereas ... Verio ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Why some hosts in Internet not prefer to be traceroute-d ?
      ... i.e. not to send a TTL exceeded ICMP packet back to the host. ... like dropping TTL exceeded ICMP packets (dropping such packets in ... I used to traceroute in unprivileged user mode, ... What's the difference between a router and a endpoint host from ...
      (comp.os.linux.networking)
    • Re: Urgent Paypal question!
      ... I am not looking at the headers unless there is a good reason to do that! ... It didn't offend me at all, how did you arrive to that conclusion?! ... (I use this site for traceroute: http://www.t1shopper.com/tools/traceroute/ ... all the elements of a classic phishing scheme with widely available ...
      (rec.collecting.coins)