Re: traceroute error !<10>

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for the information. I had eventually figured that turning off 
iptables would let it work, but not clear why windows ftp would work 
to either machine in both directions, but not from either FC3 
machine. Also, never had this problem with RH9 thur FC2. 

Sorry about the thread thing, I wasn't aware of that information being 
in the header, I read the list on my home machine, so I didn't have 
the list address directly available, so a reply was a quick way of 
doing it. Didn't know it would cause a problem. 

Still haven't figured the other problem with not being able to see the 
machines. I've booted with g4u, and get an ip combination that 
doesn't work, and then just change the IP address, and it works. 
Same IP Block, but nothing.

Thanks again.


On 28 Nov 2004 at 5:52, Alexander Dalloz wrote:

From:           	Alexander Dalloz <ad+lists@xxxxxxxxx>
To:             	For users of Fedora Core releases <fedora-list@xxxxxxxxxx>
Date sent:      	Sun, 28 Nov 2004 05:52:51 +0100
Subject:        	Re: traceroute error !<10>
Send reply to:  	For users of Fedora Core releases <fedora-list@xxxxxxxxxx>
	<mailto:fedora-list-request@xxxxxxxxxx?subject=unsubscribe>
	<mailto:fedora-list-request@xxxxxxxxxx?subject=subscribe>

> Am So, den 28.11.2004 schrieb Alexander Dalloz um 5:30:
> 
> > See following older thread about exact the same:
> > 
> > http://marc.theaimsgroup.com/?l=fedora-list&m=107334879017683&w=2
> > 
> > Especially notice the reply by Bevan Bennett who made the best attempts
> > to find the reason for that traceroute behaviour.
> 
> It is clearly the default Fedora firewall (iptables) setup which causes
> this traceroute output. Following I show the states when tracerouting
> from my one Fedora Core host (no iptables rules active) with IP
> 192.168.0.2 to the FC3 host with default iptables setup and then changed
> one which has IP 192.168.0.3. Both connected through a switch.
> 
> A) FC3 host has default iptables setup active:
> 
> $ traceroute 192.168.0.3
> traceroute to 192.168.0.3 (192.168.0.3), 30 hops max, 38 byte packets
>  1  bartleby (192.168.0.3)  0.640 ms !<10>  4.046 ms !<10>  3.437 ms
> !<10>
> 
> $ cat /etc/sysconfig/iptables
> # Firewall configuration written by system-config-securitylevel
> # Manual customization of this file is not recommended.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> 
> From above you see that new incoming UDP packages are rejected by the
> final rule with icmp-host-prohibited which is exactly what !<10> from
> traceroute is telling us.
> 
> B) changed iptables on target host by allowing new UDP packets
> 
> iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -j
> ACCEPT
> 
> $ traceroute 192.168.0.3
> traceroute to 192.168.0.3 (192.168.0.3), 30 hops max, 38 byte packets
>  1  bartleby (192.168.0.3)  4.562 ms  0.627 ms  0.334 ms
> 
> You see the difference? So the reason for your observation is cleared.
> Btw. the ICMP unreachable code does not stand for "router solicitation".
> You looked up the wrong one.
> 
> http://www.iana.org/assignments/icmp-parameters
> 
> What traceroute prints out is type 3 with code 10 which stands for
> "Communication with Destination Host is Administratively Prohibited".
> 
> What you can do now is either live with that situation or to allow
> specific UDP INPUT packages which have the state new. Depends on your
> local environment whether an iptables adjustment is reasonable.
> 
> Alexander
> 
> 
> -- 
> Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
> legal statement: http://www.uni-x.org/legal.html
> Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp 
> Serendipity 05:51:52 up 8 days, 39 users, load average: 1.02, 0.94, 0.93
> 


+----------------------------------------------------------+
  Michael D. Setzer II -  Computer Science Instructor      
  Guam Community College  Computer Center                  
  mailto:mikes@xxxxxxxxxxxxxxxx                            
  http://www.guam.net/home/mikes
  Guam - Where America's Day Begins                        
+----------------------------------------------------------+

http://setiathome.berkeley.edu
Number of Seti Units Returned:  14,912
Processing time:  29 years, 192 days, 21 hours, 53 minutes
(Total Hours: 258,670)



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux