Re: traceroute error !<10>

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am So, den 28.11.2004 schrieb Alexander Dalloz um 5:30:

> See following older thread about exact the same:
> 
> http://marc.theaimsgroup.com/?l=fedora-list&m=107334879017683&w=2
> 
> Especially notice the reply by Bevan Bennett who made the best attempts
> to find the reason for that traceroute behaviour.

It is clearly the default Fedora firewall (iptables) setup which causes
this traceroute output. Following I show the states when tracerouting
from my one Fedora Core host (no iptables rules active) with IP
192.168.0.2 to the FC3 host with default iptables setup and then changed
one which has IP 192.168.0.3. Both connected through a switch.

A) FC3 host has default iptables setup active:

$ traceroute 192.168.0.3
traceroute to 192.168.0.3 (192.168.0.3), 30 hops max, 38 byte packets
 1  bartleby (192.168.0.3)  0.640 ms !<10>  4.046 ms !<10>  3.437 ms
!<10>

$ cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

From above you see that new incoming UDP packages are rejected by the
final rule with icmp-host-prohibited which is exactly what !<10> from
traceroute is telling us.

B) changed iptables on target host by allowing new UDP packets

iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -j
ACCEPT

$ traceroute 192.168.0.3
traceroute to 192.168.0.3 (192.168.0.3), 30 hops max, 38 byte packets
 1  bartleby (192.168.0.3)  4.562 ms  0.627 ms  0.334 ms

You see the difference? So the reason for your observation is cleared.
Btw. the ICMP unreachable code does not stand for "router solicitation".
You looked up the wrong one.

http://www.iana.org/assignments/icmp-parameters

What traceroute prints out is type 3 with code 10 which stands for
"Communication with Destination Host is Administratively Prohibited".

What you can do now is either live with that situation or to allow
specific UDP INPUT packages which have the state new. Depends on your
local environment whether an iptables adjustment is reasonable.

Alexander


-- 
Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp 
Serendipity 05:51:52 up 8 days, 39 users, load average: 1.02, 0.94, 0.93

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux