[TriLUG] traceroute works, ping and tcp services don't get through

[Joseph Mack NA3T]

On Fri, 18 May 2012, Michael Hrivnak wrote:

> It may be helpful to better understand what traceroute is 
> doing when client runs traceroute to server.

yes ;-)

> Packets from client to server are UDP and sent to ports 
> that are unlikely to have an actual service listening on 
> the destination.

hmm. I thought they were type ICMP, which is a type of UDP I 
guess.

> Routers along the way, in your case only router2, respond 
> with ICMP type 11 Time Exceeded packets.

it's supposed to do this, or this it the way I'm likely to 
have it setup with my firewall rules?

> The destination will respond with ICMP type 3 Destination 
> Unreachable, with code 3 Port Unreachable.

same question?

> The simple firewall tutorial you linked to does some 
> interesting things.  You may want to search your own 
> firewall rules for "--reject-with icmp-host-unreach" and 
> see if you find anything there that would explain some of 
> the behavior you've seen.

I haven't changed any of the icmp stuff, since I didn't 
understand it. I did try to pull the icmp stuff out into its 
own table by

iptables -N ICMP

and then just before the icmp rules doing

iptables -A INPUT -j ICMP

(or something like that) and then -j LOG in the ICMP table 
to see what was happening. However no packets appeared in 
the ICMP table. I'm still scratching my head about this.

> It's possible that if a router was responding with ICMP 
> type 3, it could have fooled traceroute into thinking it 
> had reached the destination.

thanks. I need to look into this a bit. This is more 
complicated than I thought.

I'm going away for 2 weeks tomorrow, so I won't get to do 
anything on this for a little while.

Thanks

Joe

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!