Re: Would using iptables limit my number of possible hops?

On Thu, 30 Aug 2007 08:42:10 +0000, dominic.jacobssen wrote:

Hi all.

I've got an odd networking problem that has completely stumped me. I'm
very familiar with Linux on a day-to-day bases, but I'm no networking
guru, and I figured that a usenet post would be the best bet.

The technical support people at my ISP are no help at all, and insist
that it must be something to do with my setup. The thing is, I am not
sure that they're wrong. I wouldn't mind it if they actually backed up
their assertion with a wireshark trace, but I get the impression it's
just laziness on their part.

This is the problem:

A colleague of mine and I share an ADSL connection going through a Linux
firewall running iptables. I administer the firewall. The firewall
machine has two ethernet ports, with pretty simple rules:

- allow incoming SSH on a high port;
- allow access to and from the LAN;
- allow "associated" incoming connections;

For the most part, Internet connectivity is fine. Web, SMTP, POP3,
BitTorrent, SSH, you name it. My ISP block the first incoming 1024 ports
as a matter of policy, but apart from that the service is solid and
fast.

However, this colleague has an email account hosted by fasthosts.net.uk
(actually, they seem to go via many names: fasthosts, livemail,
including various permutations of .co.uk, .net, etc). For the last three
days he cannot connect to any of the following addresses:

smtp-in-112.livemail.co.uk (213.171.216.112)
mail213-171-216-21.livemail.co.uk (213.171.216.21)
mail213-171-216-230.livemail.co.uk (213.171.216.230)

Performing a tracepath on these addresses gives a suspicious pattern
(I've removed the first few lines):

$ tracepath 213.171.216.230
[...]
4: tshape-phome.lim.thunderworx.net (62.12.70.157) 65.300ms 5:
r-psdl.lim.thunderworx.net (194.42.135.46) asymm 3
63.977ms
6: r-bbone3.lim.thunderworx.net (217.27.49.90) 65.731ms 7:
tshape2.thunderworx.net (194.42.133.139) 107.126ms 8:
r-bbone3.lim.thunderworx.net (194.42.143.27) asymm 6
94.535ms
9: r-bbone2.lim.thunderworx.net (217.27.35.113) asymm 7
149.221ms
10: r-bbone2.ldn.thunderworx.net (217.27.47.26) asymm 9
232.981ms
11: no reply
12: ldn-b1-link.telia.net (80.91.250.209) asymm 11
149.305ms
13: ldn-bb2-pos0-2-0.telia.net (213.248.64.93) 144.573ms 14:
ldn-b4-link.telia.net (80.91.251.13) 147.085ms 15: no
reply
16: no reply
[...]

$ tracepath 213.171.216.21
[...]
4: tshape-phome.lim.thunderworx.net (62.12.70.157) 64.224ms 5:
r-psdl.lim.thunderworx.net (194.42.135.46) asymm 3
206.108ms
6: r-bbone3.lim.thunderworx.net (217.27.49.90) 197.966ms 7:
tshape2.thunderworx.net (194.42.133.139) 197.653ms 8:
r-bbone3.lim.thunderworx.net (194.42.143.27) asymm 6
298.153ms
9: r-bbone2.lim.thunderworx.net (217.27.35.113) asymm 7
630.963ms
10: r-bbone2.ldn.thunderworx.net (217.27.47.26) asymm 9
147.752ms
11: ldn-tch-i1-link.telia.net (213.248.104.81) asymm 10
463.028ms
12: ldn-b1-link.telia.net (80.91.250.209) asymm 11
147.198ms
13: ldn-bb1-link.telia.net (80.91.250.91) 171.609ms 14:
ldn-b4-link.telia.net (80.91.249.78) 163.505ms 15: no
reply
16: no reply
[...]

In other words, it never proceeds further than ldn-b4-link.telia.net on
the 14th hop.

The guys at the ISP say, "well, it works for me, must be something with
your setup". Now, I know that this works fine on another ISP, but that
goes via a different route.

As fas as I know, nothing has changed on my setup. Moreover, I'm stumped
as to how having something misconfigured on my setup could possibly
affect connectivity between backbone switches thousands of miles away.
The only thing I can think of is maybe my MTU setting, which is set to
1500.

How can I do more diagnostics? To whom can I complain? My ISP? Telia?
The final destination?

Thanks,

Dom

all this shows is that traceroute is disabled at a host along the
path... just because traceroute is disabled... doesn't mean that you
can't get a tcp connection to it...

what issue ( besides traceroute ) are you having?

To debug some of these issues you can just try and do
telnet host 25 ( 25 - smtp server port )
telnet host 110 ( 110 - pop3 port )
telnet host 143 ( 143 - imap port )
and see if you can get a connection.

Some hosts do a reverse name lookup ( should slow things down
a lot ) and decide if they want to allow the connection or not...


.... here is a example...

telnet 213.171.216.112 25
Trying 213.171.216.112...
Connected to smtp-in-112.livemail.co.uk (213.171.216.112).
Escape character is '^]'.
220 smtp-in-79.livemail.co.uk ESMTP Postfix
^]
telnet> quit
Connection closed.

does that work for you?

what doesn't work?


jack

--
D.A.M. - Mothers Against Dyslexia

see http://www.jacksnodgrass.com for my contact info.

jack - Grapevine/Richardson
.

Quantcast