traceroute error !<10>

Michael D. Setzer II mikes at kuentos.guam.net
Sun Nov 28 09:20:57 UTC 2004 

Thanks for the information. I had eventually figured that turning off 
iptables would let it work, but not clear why windows ftp would work 
to either machine in both directions, but not from either FC3 
machine. Also, never had this problem with RH9 thur FC2. 

Sorry about the thread thing, I wasn't aware of that information being 
in the header, I read the list on my home machine, so I didn't have 
the list address directly available, so a reply was a quick way of 
doing it. Didn't know it would cause a problem. 

Still haven't figured the other problem with not being able to see the 
machines. I've booted with g4u, and get an ip combination that 
doesn't work, and then just change the IP address, and it works. 
Same IP Block, but nothing.

Thanks again.


On 28 Nov 2004 at 5:52, Alexander Dalloz wrote:

From:           	Alexander Dalloz <ad+lists at uni-x.org>
To:             	For users of Fedora Core releases <fedora-list at redhat.com>
Date sent:      	Sun, 28 Nov 2004 05:52:51 +0100
Subject:        	Re: traceroute error !<10>
Send reply to:  	For users of Fedora Core releases <fedora-list at redhat.com>
	<mailto:fedora-list-request at redhat.com?subject=unsubscribe>
	<mailto:fedora-list-request at redhat.com?subject=subscribe>

> Am So, den 28.11.2004 schrieb Alexander Dalloz um 5:30:
> 
> > See following older thread about exact the same:
> > 
> > http://marc.theaimsgroup.com/?l=fedora-list&m=107334879017683&w=2
> > 
> > Especially notice the reply by Bevan Bennett who made the best attempts
> > to find the reason for that traceroute behaviour.
> 
> It is clearly the default Fedora firewall (iptables) setup which causes
> this traceroute output. Following I show the states when tracerouting
> from my one Fedora Core host (no iptables rules active) with IP
> 192.168.0.2 to the FC3 host with default iptables setup and then changed
> one which has IP 192.168.0.3. Both connected through a switch.
> 
> A) FC3 host has default iptables setup active:
> 
> $ traceroute 192.168.0.3
> traceroute to 192.168.0.3 (192.168.0.3), 30 hops max, 38 byte packets
>  1  bartleby (192.168.0.3)  0.640 ms !<10>  4.046 ms !<10>  3.437 ms
> !<10>
> 
> $ cat /etc/sysconfig/iptables
> # Firewall configuration written by system-config-securitylevel
> # Manual customization of this file is not recommended.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> 
> From above you see that new incoming UDP packages are rejected by the
> final rule with icmp-host-prohibited which is exactly what !<10> from
> traceroute is telling us.
> 
> B) changed iptables on target host by allowing new UDP packets
> 
> iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -j
> ACCEPT
> 
> $ traceroute 192.168.0.3
> traceroute to 192.168.0.3 (192.168.0.3), 30 hops max, 38 byte packets
>  1  bartleby (192.168.0.3)  4.562 ms  0.627 ms  0.334 ms
> 
> You see the difference? So the reason for your observation is cleared.
> Btw. the ICMP unreachable code does not stand for "router solicitation".
> You looked up the wrong one.
> 
> http://www.iana.org/assignments/icmp-parameters
> 
> What traceroute prints out is type 3 with code 10 which stands for
> "Communication with Destination Host is Administratively Prohibited".
> 
> What you can do now is either live with that situation or to allow
> specific UDP INPUT packages which have the state new. Depends on your
> local environment whether an iptables adjustment is reasonable.
> 
> Alexander
> 
> 
> -- 
> Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
> legal statement: http://www.uni-x.org/legal.html
> Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp 
> Serendipity 05:51:52 up 8 days, 39 users, load average: 1.02, 0.94, 0.93
> 


+----------------------------------------------------------+
  Michael D. Setzer II -  Computer Science Instructor      
  Guam Community College  Computer Center                  
  mailto:mikes at kuentos.guam.net                            
  http://www.guam.net/home/mikes
  Guam - Where America's Day Begins                        
+----------------------------------------------------------+

http://setiathome.berkeley.edu
Number of Seti Units Returned:  14,912
Processing time:  29 years, 192 days, 21 hours, 53 minutes
(Total Hours: 258,670)

More information about the fedora-list mailing list