Re: Would using iptables limit my number of possible hops?

On Aug 30, 6:42 pm, dominic.jacobs...@xxxxxxxxx wrote:
Hi all.

I've got an odd networking problem that has completely stumped me. I'm
very familiar with Linux on a day-to-day bases, but I'm no networking
guru, and I figured that a usenet post would be the best bet.

The technical support people at my ISP are no help at all, and insist
that it must be something to do with my setup. The thing is, I am not
sure that they're wrong. I wouldn't mind it if they actually backed up
their assertion with a wireshark trace, but I get the impression it's
just laziness on their part.

This is the problem:

A colleague of mine and I share an ADSL connection going through a
Linux firewall running iptables. I administer the firewall. The
firewall machine has two ethernet ports, with pretty simple rules:

- allow incoming SSH on a high port;
- allow access to and from the LAN;
- allow "associated" incoming connections;

For the most part, Internet connectivity is fine. Web, SMTP, POP3,
BitTorrent, SSH, you name it. My ISP block the first incoming 1024
ports as a matter of policy, but apart from that the service is solid
and fast.

However, this colleague has an email account hosted by
fasthosts.net.uk (actually, they seem to go via many names: fasthosts,
livemail, including various permutations of .co.uk, .net, etc). For
the last three days he cannot connect to any of the following
addresses:

smtp-in-112.livemail.co.uk (213.171.216.112)
mail213-171-216-21.livemail.co.uk (213.171.216.21)
mail213-171-216-230.livemail.co.uk (213.171.216.230)

Performing a tracepath on these addresses gives a suspicious pattern
(I've removed the first few lines):

$ tracepath 213.171.216.230
[...]
4: tshape-phome.lim.thunderworx.net (62.12.70.157) 65.300ms
5: r-psdl.lim.thunderworx.net (194.42.135.46) asymm 3
63.977ms
6: r-bbone3.lim.thunderworx.net (217.27.49.90) 65.731ms
7: tshape2.thunderworx.net (194.42.133.139) 107.126ms
8: r-bbone3.lim.thunderworx.net (194.42.143.27) asymm 6
94.535ms
9: r-bbone2.lim.thunderworx.net (217.27.35.113) asymm 7
149.221ms
10: r-bbone2.ldn.thunderworx.net (217.27.47.26) asymm 9
232.981ms
11: no reply
12: ldn-b1-link.telia.net (80.91.250.209) asymm 11
149.305ms
13: ldn-bb2-pos0-2-0.telia.net (213.248.64.93) 144.573ms
14: ldn-b4-link.telia.net (80.91.251.13) 147.085ms
15: no reply
16: no reply
[...]

$ tracepath 213.171.216.21
[...]
4: tshape-phome.lim.thunderworx.net (62.12.70.157) 64.224ms
5: r-psdl.lim.thunderworx.net (194.42.135.46) asymm 3
206.108ms
6: r-bbone3.lim.thunderworx.net (217.27.49.90) 197.966ms
7: tshape2.thunderworx.net (194.42.133.139) 197.653ms
8: r-bbone3.lim.thunderworx.net (194.42.143.27) asymm 6
298.153ms
9: r-bbone2.lim.thunderworx.net (217.27.35.113) asymm 7
630.963ms
10: r-bbone2.ldn.thunderworx.net (217.27.47.26) asymm 9
147.752ms
11: ldn-tch-i1-link.telia.net (213.248.104.81) asymm 10
463.028ms
12: ldn-b1-link.telia.net (80.91.250.209) asymm 11
147.198ms
13: ldn-bb1-link.telia.net (80.91.250.91) 171.609ms
14: ldn-b4-link.telia.net (80.91.249.78) 163.505ms
15: no reply
16: no reply
[...]

In other words, it never proceeds further than ldn-b4-link.telia.net
on the 14th hop.

The guys at the ISP say, "well, it works for me, must be something
with your setup". Now, I know that this works fine on another ISP, but
that goes via a different route.

As fas as I know, nothing has changed on my setup. Moreover, I'm
stumped as to how having something misconfigured on my setup could
possibly affect connectivity between backbone switches thousands of
miles away. The only thing I can think of is maybe my MTU setting,
which is set to 1500.

How can I do more diagnostics? To whom can I complain? My ISP? Telia?
The final destination?

Thanks,

Dom

I dont think the problem is with the ISP - its somewhere in your
configuration.
Some isps lately must of them block all traceroute/ping queries at
their firewall. and it will never reach the target host. thats not the
issue.
dig somewhere else or try your log files, try to find out whats
blocking/wont let you connect to that mailserver.
ur firewall may be an issue .


zaher el sid***

.

Quantcast