Re: Would using iptables limit my number of possible hops?

On Fri, 31 Aug 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <1188548870.725562.280680@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
dominic.jacobssen@xxxxxxxxx wrote:

Oooh, I hadn't heard of tcptracert before. Nice new tools!

Yes, however it shares one dependency with hping2, hping3, mtr, and
the various versions of traceroute in that the intermediate hops are
all identified by sending a packet with incrementally increasing TTLs
and hoping that the "remote" sites will return an ICMP Type 11 error
message when they drop the packets after decrementing the TTL.

One thing to look at is the actual packet that is leaving your firewall
and see if it contains any "strange" flags, or unexpected TTLs. When the
2.4.0 kernel was introduced back in early 2001, there was a rash of
connection problems reported because this kernel introduced the use of
ECN (Explicit Congestion Notification - see RFC3168). Some routers of
that era were configured to silently discard packets with "unknown"
flags set. There were bug fixes for these routers, but it is possible
that you may be encountering one or more that have not been updated.
You could try disabling the ECN in your firewall by

echo 0 > /proc/sys/net/ipv4/tcp_ecn

and see if that fixes the problem. It's not very likely, as the bugfix
was widely publicized back then, and one would hope that the people who
operate the routers have their collective heads out of their a$$. But
one never knows. You mention Ubuntu, and I'm sure you can find a packet
sniffer (tcpdump, ethereal [now known as wireshark], or what-ever) to see
what those outgoing packets look like.

$ tcptraceroute -n 213.171.216.230 80

In your original post, you mention mail on ports 25 and 110, rather than
web stuff on 80. None the less, from here (North America), I can see that
the port is open and there appears nothing untoward (no ident check to
port 113 for example).

11 * 213.248.104.81 119.929 ms 137.001 ms
12 80.91.250.209 118.331 ms 120.699 ms 116.717 ms
13 213.248.64.93 125.581 ms 119.391 ms 135.511 ms
14 80.91.254.22 121.862 ms 122.924 ms 130.701 ms
15 * * *

10 213.248.65.97 (213.248.65.97) 314.589 ms 298.770 ms 299.088 ms
11 80.91.250.233 (80.91.250.233) 304.663 ms 298.652 ms 309.089 ms
12 213.248.75.154 (213.248.75.154) 304.526 ms 298.788 ms 299.091 ms
13 88.208.255.1 (88.208.255.1) 304.654 ms 308.715 ms 289.123 ms
14 213.171.217.2 (213.171.217.2) 294.545 ms 298.769 ms 289.097 ms
15 213.171.216.230 (213.171.216.230) [open] 284.802 ms * 289.584 ms

although I'm hitting slightly different routers obviously.

The odd thing is that everything else seems to be working just fine.
It's just so odd and inexplicable.

I'd try the ECN - wouldn't be the first (or last) time that has caught
someone by surprise.

Old guy
.

Quantcast