New Zealand ADSL Mailing List


Re: traceroute

From: Brian Gibbons <brian_at_outersite.co.nz>
Date: Mon, 20 Nov 2000 15:27:32 +1300
Message-ID: <002101c05299$6fe75780$0105a8c0@nserver>

There is no "standard" on how trace route programs effect the required
functionality.

Basically they send a packet out with incrementing TTL values and look at
the IP address of ICMP message coming back.

The outgoing packet is never an ICMP packet as "Rule 1" is never send an
ICMP error message about an ICMP message.

Most tracert programs use outgoing UDP packets to an invalid destination
port, that way they know when they have reached the destination host
(returnes an invalid destination port ICMP vs TTL Expired).

Check that UDP can go out via Linux, if NAT is on then the NAT box must be
smart enough to look in the body of the returning ICMP message to find which
inside host sent out the UDP packet.

----- Original Message -----
From: "Pete" <speed@advcomm.co.nz>
To: <adsl@unixathome.org>
Sent: Monday, November 20, 2000 2:52 PM
Subject: traceroute

Hiyas

I've posted this to the NZLUG list, but they reccomend posting here. I feel
it
is a linux problem as I can traceroute through the DSL fine, but thought I'd
post here in case anyone knows of problems using traceroute through two NAT
firewalls.

I'm having trouble getting traceroutes working through my linux firewall.

My setup is basically this:

DSL-Linux-LAN

The DSL is connected to eth0 in the linux box. eth1 is connected to
the internal LAN which has a mixture of clients.

The linux firewall can traceroute through the DSL fine. But other
linux boxes on the LAN (behind the firewall) can't.

I have no IPCHAINS rules in place to block icmp traffic. Does
traceroute use more than just icmp traffic? The results are as
follows:

Traceroute from firewall to mint.ts.co.nz:

firewall:~$ traceroute -n mint.ts.co.nz
traceroute to mint.ts.co.nz (202.49.92.17), 30 hops max, 40 byte packets
  1 192.168.1.254 2.518 ms 1.874 ms 1.882 ms
  2 203.79.82.254 78.641 ms 291.445 ms 634.422 ms
  3 192.168.253.225 46.479 ms 51.772 ms 45.834 ms
  4 203.96.155.158 47.837 ms 48.328 ms 48.202 ms
  5 203.96.152.3 48.526 ms 47.636 ms 48.199 ms
  6 202.37.246.73 62.216 ms 63.505 ms 59.659 ms
  7 202.37.247.162 83.219 ms * 81.677 ms

Tracerouter from internal linux box to mint.ts.co.nz:

wilma:~$ traceroute -n mint.ts.co.nz
traceroute to mint.ts.co.nz (202.49.92.17), 30 hops max, 40 byte packets
  1 10.254.254.254 1.345 ms 1.002 ms 0.957 ms
  2 * * *
  3 * *

And it keeps going like that (timeout timeout timeout).

I will post the full firewall lising below, but I can't see anything
in there that should block ICMP traffic. Oh - BTW - I can ping any
external host from any internal host and also the firewall no probs
at all ?!?!

Firewall rules:

(internal lans are 10.254.254.0/24 and the LAN to the DSL is 192.168.1.0/24)

/sbin/ipchains -F forward
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -A input -p udp -s 10.0.0.0/8 137 -d 0/0 -j DENY
/sbin/ipchains -A input -p tcp -s 10.0.0.0/8 137 -d 0/0 -j DENY
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -p udp -s 10.0.0.0/8 137 -d 0/0 -j DENY
/sbin/ipchains -A forward -p tcp -s 10.0.0.0/8 137 -d 0/0 -j DENY
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -A forward -p tcp -s 10.254.254.230/32 -d 0/0 80 -j MASQ
/sbin/ipchains -A forward -p tcp -s 10.254.254.231/32 -d 0/0 80 -j MASQ
/sbin/ipchains -A forward -p tcp -s 10.254.254.253/32 -d 0/0 80 -j MASQ
/sbin/ipchains -A forward -p tcp -s 10.254.254.0/24 -d 0/0 80 -j DENY
/sbin/ipchains -A forward -p udp -s 10.254.254.0/24 53 -d 0/0 -j MASQ
/sbin/ipchains -A forward -p udp -s 10.254.254.0/24 -d 0/0 53 -j MASQ
/sbin/ipchains -A forward -p udp -s 10.254.254.0/24 -d 0/0 123 -j MASQ
/sbin/ipchains -A forward -p udp -s 10.254.254.0/24 4000 -d 0/0 -j MASQ
/sbin/ipchains -A forward -p udp -s 10.254.254.0/24 -d 0/0 4000 -j MASQ
/sbin/ipchains -A forward -p udp -s 10.254.254.0/24 -d 0/0 -j DENY
/sbin/ipchains -A forward -s 10.254.254.0/24 -j MASQ

I have even tried adding at the top (just under the flush commands):

ipchains -A forward -p icmp -s 10.254.254.0/24 -j MASQ

But it still doesn't work :(

Any ideas anyone (and apologies to the rest of the list for the long post.)?

Rgds,
Pete

Pete Mundy - Technician
Advanced Communications
+64-3-546-9169 / +64-25-480-840
E-Mail: Pete@AdvComm.Co.NZ

This message is part of the NZ Broadband mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to majordomo@unixathome.org
with "unsubscribe adsl" in the body of the message

######################################################################
This e-mail message has been virus scanned by our
outgoing email gateway (mx2.pcx.co.nz)
######################################################################

This message is part of the NZ Broadband mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to majordomo@unixathome.org
with "unsubscribe adsl" in the body of the message
Received on Mon Nov 20 15:13:35 2000


This archive was generated by hypermail 2.2.0 : Thu Nov 30 11:48:06 2006 EST