HPE Community
Operating System - Linux
1822004 Members
4010 Online
109639 Solutions
New Discussion юеВ

Re: icmp-type to enable traceroute

 
K.C. Chan
Trusted Contributor

тАО12-23-2001 01:29 PM

тАО12-23-2001 01:29 PM

icmp-type to enable traceroute

Does any one know whaty icmp-type to enable inorder to do traceroute for iptables? Thanks.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
10 REPLIES 10
Kodjo Agbenu
Honored Contributor

тАО12-25-2001 12:34 PM

тАО12-25-2001 12:34 PM

Re: icmp-type to enable traceroute

Hello Michael,

As far as I know, the "traceroute" mechanism uses packets that could not be routed due to a too low number of hop counts.

The first host says to the first router : "could you reach that destination in 1 hop counts ?"

If it replies no, another query is attempted with 2 hop counts... until the destination host is reached.

I guess (but I'm not sure) that the ICMP packets to allow for the traceroute command to work should "icmp-net-unreachable" and "icmp-host-unreachable".

Good luck.

Kodjo
Learn and explain...
0 Kudos
Reply
K.C. Chan
Trusted Contributor

тАО12-26-2001 11:05 AM

тАО12-26-2001 11:05 AM

Re: icmp-type to enable traceroute

kodjo, I added network-unreachable and host-unreachle to the rule. But no luck, here's a samplet output of traceroute: "traceroute to www.yahoo.akadns.net (216.115.102.77), 30 hops max, 38 byte packets
traceroute: sendto: Operation not permitted
1 traceroute: wrote www.yahoo.akadns.net 38 chars, ret=-1
*traceroute: sendto: Operation not permitted
traceroute: wrote www.yahoo.akadns.net 38 chars, ret=-1
*traceroute: sendto: Operation not permitted"

Does any one have any idea? thanks.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
Volker Borowski
Honored Contributor

тАО12-27-2001 02:44 AM

тАО12-27-2001 02:44 AM

Re: icmp-type to enable traceroute

Hello Michael,

I am also not so sure, but I checked my cisco for what it knows, and my best guess would be that you need

echo Echo (ping)
echo-reply Echo reply
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
traceroute Traceroute
ttl-exceeded TTL exceeded
unreachable All unreachables

Unfortunately, I do not know the icmp-portnumbers for those signals, my cisco just offers the names.

Do not know if that helps
Volker
0 Kudos
Reply
messias
Occasional Advisor

тАО01-14-2002 06:05 AM

тАО01-14-2002 06:05 AM

Re: icmp-type to enable traceroute

Hi Michael,

You need to allow traceroute
following icmp types and codes:

TYPE = 0 - Echo Reply

TYPE = 8 - Echo Request

TYPE = 11 - Time Exceeded
Code 0 = TTL > 0

and if you need name reolution
you need DNS = udp 53


Best regards
Nico
Technical Support & Professional Services
0 Kudos
Reply
Paulo A G Fessel
Trusted Contributor

тАО01-15-2002 04:33 AM

тАО01-15-2002 04:33 AM

Re: icmp-type to enable traceroute

Michael,

AFAIK, the message you're seeing is not related to ICMP-type messages but to the fact that you're running traceroute as a non-root user.

Use the tips of our colleagues in the forum, make sure you're logged in as "root" and try again.

HTH
Paulo Fessel
L'employ├Г┬й propose, le boss dispose.
0 Kudos
Reply
john savas
New Member

тАО01-16-2002 03:29 AM

тАО01-16-2002 03:29 AM

Re: icmp-type to enable traceroute

UDP INCOMING TRACEROUTE

traceroute usually uses source port 32769:65535 dst port 33434:33523
default UDP base: 33434 to base+nhops-1

ICMP INCOMING TRACEROUTE
For outgoing traceroute.
Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)

For incoming traceroute.
Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
To block this, deny OUTGOING 3 and 11
0 Kudos
Reply
Christopher C. Weis
Advisor

тАО03-11-2002 08:52 PM

тАО03-11-2002 08:52 PM

Re: icmp-type to enable traceroute

I agree with Paulo on this one. The error message you're seeing is due to you not being root or traceroute not being suid root. I would recommend su'ing to root and trying this process again.

However, I did notice once before, with a customized 2.4.`early` kernel that I received a very similar error message when using ping. I haven't been following the LKML enough lately, but it's possible there was a bug in the kernel somewhere that kept the sendto() function from working properly. It may have been a problem with glibc also. I ended up rebooting just to see if I could shake the problem. It went away for a while, but returned. After upgrading and rebuilding the kernel, all was well. I'll be curious to see if your problem comes to this also.

Good luck!
0 Kudos
Reply
Ron Kinner
Honored Contributor

тАО03-12-2002 07:09 AM

тАО03-12-2002 07:09 AM

Re: icmp-type to enable traceroute

Don't think it's a root issue. Looks more like the firewall is blocking it.

Are you using IPCHAINS? What do
ipchains -L output
and
ipchains -L input

say?

Ron
0 Kudos
Reply
Ron Kinner
Honored Contributor

тАО03-12-2002 07:13 AM

тАО03-12-2002 07:13 AM

Re: icmp-type to enable traceroute

http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-7.html

Shows how to get traceroute to work.

Ron
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО03-12-2002 02:11 PM

тАО03-12-2002 02:11 PM

Re: icmp-type to enable traceroute

The dumb question is have you allowed 'udp' packets as well as these ICMP packets?

The outgoing probe is actually a UDP packet with low TTL values, and 'traceroute' sits waiting fo the ICMP replies of 'time exceed' and 'port unreachable' from the middling hosts.

NOTE: this is all int he man page for traceroute..
One long-haired git at your service...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.