* [gentoo-user] traceroute not working
@ 2013-02-22 15:51 Tanstaafl
2013-02-22 16:28 ` Mick
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Tanstaafl @ 2013-02-22 15:51 UTC (permalink / raw
To: Gentoo-User
Hi all,
Weird, I don't use it much, but needed to run a traceroute today, and it
is failing with:
# traceroute 192.168.1.4
traceroute to 192.168.1.4 (192.168.1.4), 30 hops max, 60 byte packets
send: Operation not permitted
I know the problem is in my firewall, because when I stop it,
traceroutes work as expected.
I have allowed all ICMP in my firewall:
Chain INPUT (policy DROP)
target prot opt source destination
<snip>
ACCEPT icmp -- anywhere anywhere icmp any
<snip>
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp any
Chain OUTPUT (policy DROP)
target prot opt source destination
<snip>
ACCEPT icmp -- anywhere anywhere icmp any
Any ideas what I'm missing?
I can send all of my firewall rules privately if someone thinks I may
have something that is dropping these packets before my ALLOW rule kicks
in, but I'm fairly sure I have them right...
Thanks
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] traceroute not working
2013-02-22 15:51 [gentoo-user] traceroute not working Tanstaafl
@ 2013-02-22 16:28 ` Mick
2013-02-22 16:40 ` Michael Mol
2013-02-22 17:18 ` Mike Gilbert
2 siblings, 0 replies; 5+ messages in thread
From: Mick @ 2013-02-22 16:28 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 1610 bytes --]
On Friday 22 Feb 2013 15:51:54 Tanstaafl wrote:
> Hi all,
>
> Weird, I don't use it much, but needed to run a traceroute today, and it
> is failing with:
>
> # traceroute 192.168.1.4
> traceroute to 192.168.1.4 (192.168.1.4), 30 hops max, 60 byte packets
> send: Operation not permitted
>
> I know the problem is in my firewall, because when I stop it,
> traceroutes work as expected.
>
> I have allowed all ICMP in my firewall:
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> <snip>
> ACCEPT icmp -- anywhere anywhere icmp any
> <snip>
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT icmp -- anywhere anywhere icmp any
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> <snip>
> ACCEPT icmp -- anywhere anywhere icmp any
>
> Any ideas what I'm missing?
>
> I can send all of my firewall rules privately if someone thinks I may
> have something that is dropping these packets before my ALLOW rule kicks
> in, but I'm fairly sure I have them right...
>
> Thanks
I don't know how 'clever' your firewall script is (if indeed you are using a
script) and it interferes with your sysctl settings.
Search for things like:
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
Alternatively, do you have another rule that denies connections from private
address space on the particular interface?
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] traceroute not working
2013-02-22 15:51 [gentoo-user] traceroute not working Tanstaafl
2013-02-22 16:28 ` Mick
@ 2013-02-22 16:40 ` Michael Mol
2013-02-22 17:18 ` Mike Gilbert
2 siblings, 0 replies; 5+ messages in thread
From: Michael Mol @ 2013-02-22 16:40 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1301 bytes --]
On 02/22/2013 10:51 AM, Tanstaafl wrote:
> Hi all,
>
> Weird, I don't use it much, but needed to run a traceroute today, and it
> is failing with:
>
> # traceroute 192.168.1.4
> traceroute to 192.168.1.4 (192.168.1.4), 30 hops max, 60 byte packets
> send: Operation not permitted
>
> I know the problem is in my firewall, because when I stop it,
> traceroutes work as expected.
>
> I have allowed all ICMP in my firewall:
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> <snip>
> ACCEPT icmp -- anywhere anywhere icmp any
> <snip>
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT icmp -- anywhere anywhere icmp any
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> <snip>
> ACCEPT icmp -- anywhere anywhere icmp any
>
> Any ideas what I'm missing?
>
> I can send all of my firewall rules privately if someone thinks I may
> have something that is dropping these packets before my ALLOW rule kicks
> in, but I'm fairly sure I have them right...
>
> Thanks
>
Try moving your ACCEPT rules for icmp closer to (or all the way to) the top.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 555 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] traceroute not working
2013-02-22 15:51 [gentoo-user] traceroute not working Tanstaafl
2013-02-22 16:28 ` Mick
2013-02-22 16:40 ` Michael Mol
@ 2013-02-22 17:18 ` Mike Gilbert
2013-02-22 20:30 ` Tanstaafl
2 siblings, 1 reply; 5+ messages in thread
From: Mike Gilbert @ 2013-02-22 17:18 UTC (permalink / raw
To: gentoo-user
On Fri, Feb 22, 2013 at 10:51 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
> Hi all,
>
> Weird, I don't use it much, but needed to run a traceroute today, and it is
> failing with:
>
> # traceroute 192.168.1.4
> traceroute to 192.168.1.4 (192.168.1.4), 30 hops max, 60 byte packets
> send: Operation not permitted
>
> I know the problem is in my firewall, because when I stop it, traceroutes
> work as expected.
>
> I have allowed all ICMP in my firewall:
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> <snip>
> ACCEPT icmp -- anywhere anywhere icmp any
> <snip>
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT icmp -- anywhere anywhere icmp any
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> <snip>
> ACCEPT icmp -- anywhere anywhere icmp any
>
> Any ideas what I'm missing?
>
> I can send all of my firewall rules privately if someone thinks I may have
> something that is dropping these packets before my ALLOW rule kicks in, but
> I'm fairly sure I have them right...
>
> Thanks
>
Unix traceroute normally operates by sending UDP packets to
high-numbered ports with successively larger TTL values. You'll need
to make sure you are allowing outbound UDP traffic as well.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] traceroute not working
2013-02-22 17:18 ` Mike Gilbert
@ 2013-02-22 20:30 ` Tanstaafl
0 siblings, 0 replies; 5+ messages in thread
From: Tanstaafl @ 2013-02-22 20:30 UTC (permalink / raw
To: gentoo-user
On 2013-02-22 12:18 PM, Mike Gilbert <floppym@gentoo.org> wrote:
> Unix traceroute normally operates by sending UDP packets to
> high-numbered ports with successively larger TTL values. You'll need
> to make sure you are allowing outbound UDP traffic as well.
Thanks guys - I had forgotten about this (haven't used it in a while)...
I forgot that I had to specify -I to designate using ICMP protocol...
duh...
Sorry for the noise...
Now to pose the real question I have (the reason I needed to use
traceroute in the first place) in a new thread...
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-02-22 20:30 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-22 15:51 [gentoo-user] traceroute not working Tanstaafl
2013-02-22 16:28 ` Mick
2013-02-22 16:40 ` Michael Mol
2013-02-22 17:18 ` Mike Gilbert
2013-02-22 20:30 ` Tanstaafl
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox