Date: Sat, 22 Mar 2003 23:32:13 GMT From: abc@ai1.anchorage.mtaonline.net To: Bill Moran <wmoran@potentialtech.com> Cc: freebsd-questions <questions@freebsd.org> Subject: Re: where packets are dropped in route Message-ID: <200303222332.h2MNWDdJ012385@en26.ai1.anchorage.mtaonline.net>
next in thread | raw e-mail | index | archive | help
> > is there any way to determine which machine along
> > a route is dropping packets destined for a specific
> > IP/port combination?
> >
> > i can't SSH to my gateway from machines elsewhere
> > on the internet, but i can ssh to it on a local net.
> >
> > i can ssh to other machines elsewhere on the internet
> > from the local gateway / local net.
> >
> > i have no firewall rules blocking any traffic.
> > i have the same configuration that i used with
> > a previous ISP - where all worked fine
> > (except for ppp login mods).
> >
> > my current ISP claims not to be blocking any traffic.
> > i think he is wrong, and would like to identify
> > exactly what machine is dropping the packets
> > destined for port 22 on my gateway.
>
> traceroute will allow you to specify a port/proto instead of
> using ICMP.
yes - have used the following, but was unsure if the following
underlined statements meant using traceroute would be a bogus method:
traceroute(1):
-P Send packets of specified IP protocol. The cur-
rently supported protocols are: UDP, TCP and GRE.
Other protocols may also be specified (either by
name or by number), though traceroute does not
implement any special knowledge of their packet
formats. This option is useful for determining
which router along a path may be blocking packets
based on IP protocol number. But see BUGS below.
^^^^^^^^^^^^^^^^^^^
BUGS When using protocols other than UDP, functionality is
reduced. In particular, the last packet will often appear
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
to be lost, because even though it reaches the destination
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
host, there's no way to know that because no ICMP message
Is sent back. In the TCP case, traceroute should listen
for a RST from the destination host (or an intermediate
router that's filtering packets), but this is not imple-
mented yet.
-p Protocol specific. For UDP and TCP, sets the base
port number used in probes (default is 33434).
Traceroute hopes that nothing is listening on UDP
ports base to base + nhops - 1 at the destination
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
host (so an ICMP PORT_UNREACHABLE message will be
returned to terminate the route tracing). If some-
thing is listening on a port in the default range,
this option can be used to pick an unused port
range.
results:
-------
$ traceroute -p 22 -P tcp MYGATEWAY (from a remote machine)
this probe is ok, up to and including the machine my gateway
connects to - just when it should show my gateway, traceroute(1)
displays asterisks * * *.
$ traceroute -p 22 -P udp MYGATEWAY (from a remote machine)
this probe works fine without problem.
> Other tools might be helpful as well. Use nmap (in ports) to
> see if packets are being denied or simply dropped. You could
> use traceroute in combination with nmap and simply test each
> host along the path.
testing each host along the path seemed unreliable to me because
a firewall/ipchains could deny specific IP/port packets to itself,
while allowing them to pass through if destined for another machine.
> Check sockstat on the ssh server and make sure it's acutally
> binding to the proper IP as well.
$ sockstat | grep 22
root sshd 867 3 tcp4 *:22 *:*
root sshd 63 4 tcp4 MY-GW-IP:22 192.168.0.26:2040
root named 34 22 udp4 127.0.0.1:53 *:*
> --
> Bill Moran
> Potential Technologies
> http://www.potentialtech.com
what follows is a result of "telnet" port scans:
-----------------------------------------------
1. I have no firewalls and no ipchains and
no packet filtering software of any kind.
2. PORT SCAN (SSH PORT 22 CONNECTS)
---------
FROM: ELSEWHERE ON THE INTERNET
TO: ELSEWHERE ON THE INTERNET
000001: rtmp: telnet: connect to address 65.96.40.34: refused
000002: nbp: telnet: connect to address 65.96.40.34: refused
000003: compressnet: telnet: connect to address 65.96.40.34: refused
000004: echo: telnet: connect to address 65.96.40.34: refused
000005: #: telnet: connect to address 65.96.40.34: refused
000006: zip: telnet: connect to address 65.96.40.34: refused
000007: echo: telnet: connect to address 65.96.40.34: refused
000008: : telnet: connect to address 65.96.40.34: refused
000009: discard: telnet: connect to address 65.96.40.34: refused
000010: : telnet: connect to address 65.96.40.34: refused
000011: systat: telnet: connect to address 65.96.40.34: refused
000012: : telnet: connect to address 65.96.40.34: refused
000013: daytime: Connection closed by foreign host.
000014: : telnet: connect to address 65.96.40.34: refused
000015: : telnet: connect to address 65.96.40.34: refused
000016: : telnet: connect to address 65.96.40.34: refused
000017: qotd: Connection closed by foreign host.
000018: msp: telnet: connect to address 65.96.40.34: refused
000019: chargen: telnet: connect to address 65.96.40.34: refused
000020: ftp-data: telnet: connect to address 65.96.40.34: refused
000021: ftp: Connection closed by foreign host.
000022:* ssh: Connection closed by foreign host.
000023: telnet: telnet: connect to address 65.96.40.34: refused
000024: #: telnet: connect to address 65.96.40.34: refused
000025: smtp: Connection closed by foreign host.
000026: : telnet: connect to address 65.96.40.34: refused
000027: nsw-fe: telnet: connect to address 65.96.40.34: refused
000028: : telnet: connect to address 65.96.40.34: refused
000029: msg-icp: telnet: connect to address 65.96.40.34: refused
000030: : telnet: connect to address 65.96.40.34: refused
000031: msg-auth: telnet: connect to address 65.96.40.34: refused
000032: : telnet: connect to address 65.96.40.34: refused
000033: dsp: telnet: connect to address 65.96.40.34: refused
000034: : telnet: connect to address 65.96.40.34: refused
000035: #: telnet: connect to address 65.96.40.34: refused
000036: : telnet: connect to address 65.96.40.34: refused
000037: time: Connection closed by foreign host.
000038: rap: telnet: connect to address 65.96.40.34: refused
000039: rlp: telnet: connect to address 65.96.40.34: refused
000040: : telnet: connect to address 65.96.40.34: refused
000041: graphics: telnet: connect to address 65.96.40.34: refused
000042: nameserver: telnet: connect to address 65.96.40.34: refused
000043: nicname: telnet: connect to address 65.96.40.34: refused
000044: mpm-flags: telnet: connect to address 65.96.40.34: refused
000045: mpm: telnet: connect to address 65.96.40.34: refused
000046: mpm-snd: telnet: connect to address 65.96.40.34: refused
000047: ni-ftp: telnet: connect to address 65.96.40.34: refused
000048: auditd: telnet: connect to address 65.96.40.34: refused
000049: tacacs: telnet: connect to address 65.96.40.34: refused
000050: re-mail-ck: telnet: connect to address 65.96.40.34: refused
000051: la-maint: telnet: connect to address 65.96.40.34: refused
000052: xns-time: telnet: connect to address 65.96.40.34: refused
000053: domain: Connection closed by foreign host.
000054: xns-ch: telnet: connect to address 65.96.40.34: refused
000055: isi-gl: telnet: connect to address 65.96.40.34: refused
000056: xns-auth: telnet: connect to address 65.96.40.34: refused
000057: mtp: telnet: connect to address 65.96.40.34: refused
000058: xns-mail: telnet: connect to address 65.96.40.34: refused
000059: #: telnet: connect to address 65.96.40.34: refused
000060: : telnet: connect to address 65.96.40.34: refused
000061: ni-mail: telnet: connect to address 65.96.40.34: refused
000062: acas: telnet: connect to address 65.96.40.34: refused
000063: whois++: telnet: connect to address 65.96.40.34: refused
000064: covia: telnet: connect to address 65.96.40.34: refused
3. PORT SCAN (SSH PORT 22 CONNECTS)
---------
FROM: LOCAL NETWORK (me)
TO: ISP CUSTOMER (me)
000001: rtmp: telnet: connect to address 12.17.140.247: refused
000002: nbp: telnet: connect to address 12.17.140.247: refused
000003: compressnet: telnet: connect to address 12.17.140.247: refused
000004: echo: telnet: connect to address 12.17.140.247: refused
000005: #: telnet: connect to address 12.17.140.247: refused
000006: zip: telnet: connect to address 12.17.140.247: refused
000007: echo: telnet: connect to address 12.17.140.247: refused
000008: : telnet: connect to address 12.17.140.247: refused
000009: discard: telnet: connect to address 12.17.140.247: refused
000010: : telnet: connect to address 12.17.140.247: refused
000011: systat: telnet: connect to address 12.17.140.247: refused
000012: : telnet: connect to address 12.17.140.247: refused
000013: daytime: telnet: connect to address 12.17.140.247: refused
000014: : telnet: connect to address 12.17.140.247: refused
000015: : telnet: connect to address 12.17.140.247: refused
000016: : telnet: connect to address 12.17.140.247: refused
000017: qotd: telnet: connect to address 12.17.140.247: refused
000018: msp: telnet: connect to address 12.17.140.247: refused
000019: chargen: telnet: connect to address 12.17.140.247: refused
000020: ftp-data: telnet: connect to address 12.17.140.247: refused
000021: ftp: Connection closed by foreign host.
000022:* ssh: Connection closed by foreign host.
000023: telnet: Connection closed by foreign host.
000024: #: telnet: connect to address 12.17.140.247: refused
000025: smtp: Connection closed by foreign host.
000026: : telnet: connect to address 12.17.140.247: refused
000027: nsw-fe: telnet: connect to address 12.17.140.247: refused
000028: : telnet: connect to address 12.17.140.247: refused
000029: msg-icp: telnet: connect to address 12.17.140.247: refused
000030: : telnet: connect to address 12.17.140.247: refused
000031: msg-auth: telnet: connect to address 12.17.140.247: refused
000032: : telnet: connect to address 12.17.140.247: refused
000033: dsp: telnet: connect to address 12.17.140.247: refused
000034: : telnet: connect to address 12.17.140.247: refused
000035: #: telnet: connect to address 12.17.140.247: refused
000036: : telnet: connect to address 12.17.140.247: refused
000037: time: telnet: connect to address 12.17.140.247: refused
000038: rap: telnet: connect to address 12.17.140.247: refused
000039: rlp: telnet: connect to address 12.17.140.247: refused
000040: : telnet: connect to address 12.17.140.247: refused
000041: graphics: telnet: connect to address 12.17.140.247: refused
000042: nameserver: telnet: connect to address 12.17.140.247: refused
000043: nicname: telnet: connect to address 12.17.140.247: refused
000044: mpm-flags: telnet: connect to address 12.17.140.247: refused
000045: mpm: telnet: connect to address 12.17.140.247: refused
000046: mpm-snd: telnet: connect to address 12.17.140.247: refused
000047: ni-ftp: telnet: connect to address 12.17.140.247: refused
000048: auditd: telnet: connect to address 12.17.140.247: refused
000049: tacacs: telnet: connect to address 12.17.140.247: refused
000050: re-mail-ck: telnet: connect to address 12.17.140.247: refused
000051: la-maint: telnet: connect to address 12.17.140.247: refused
000052: xns-time: telnet: connect to address 12.17.140.247: refused
000053: domain: Connection closed by foreign host.
000054: xns-ch: telnet: connect to address 12.17.140.247: refused
000055: isi-gl: telnet: connect to address 12.17.140.247: refused
000056: xns-auth: telnet: connect to address 12.17.140.247: refused
000057: mtp: telnet: connect to address 12.17.140.247: refused
000058: xns-mail: telnet: connect to address 12.17.140.247: refused
000059: #: telnet: connect to address 12.17.140.247: refused
000060: : telnet: connect to address 12.17.140.247: refused
000061: ni-mail: telnet: connect to address 12.17.140.247: refused
000062: acas: telnet: connect to address 12.17.140.247: refused
000063: whois++: telnet: connect to address 12.17.140.247: refused
000064: covia: telnet: connect to address 12.17.140.247: refused
4. PORT SCAN (SSH PORT 22 REFUSED)
---------
FROM: ELSEWHERE ON THE INTERNET
TO: ISP CUSTOMER (me)
000001: rtmp: telnet: connect to address 12.17.140.247: refused
000002: nbp: telnet: connect to address 12.17.140.247: refused
000003: compressnet: telnet: connect to address 12.17.140.247: refused
000004: echo: telnet: connect to address 12.17.140.247: refused
000005: #: telnet: connect to address 12.17.140.247: refused
000006: zip: telnet: connect to address 12.17.140.247: refused
000007: echo: telnet: connect to address 12.17.140.247: refused
000008: : telnet: connect to address 12.17.140.247: refused
000009: discard: telnet: connect to address 12.17.140.247: refused
000010: : telnet: connect to address 12.17.140.247: refused
000011: systat: telnet: connect to address 12.17.140.247: refused
000012: : telnet: connect to address 12.17.140.247: refused
000013: daytime: telnet: connect to address 12.17.140.247: refused
000014: : telnet: connect to address 12.17.140.247: refused
000015: : telnet: connect to address 12.17.140.247: refused
000016: : telnet: connect to address 12.17.140.247: refused
000017: qotd: telnet: connect to address 12.17.140.247: refused
000018: msp: telnet: connect to address 12.17.140.247: refused
000019: chargen: telnet: connect to address 12.17.140.247: refused
000020: ftp-data: telnet: connect to address 12.17.140.247: refused
000021: ftp: Connection closed by foreign host.
000022:* ssh: telnet: connect to address 12.17.140.247: refused
000023: telnet: Connection closed by foreign host.
000024: #: telnet: connect to address 12.17.140.247: refused
000025: smtp: Connection closed by foreign host.
000026: : telnet: connect to address 12.17.140.247: refused
000027: nsw-fe: telnet: connect to address 12.17.140.247: refused
000028: : telnet: connect to address 12.17.140.247: refused
000029: msg-icp: telnet: connect to address 12.17.140.247: refused
000030: : telnet: connect to address 12.17.140.247: refused
000031: msg-auth: telnet: connect to address 12.17.140.247: refused
000032: : telnet: connect to address 12.17.140.247: refused
000033: dsp: telnet: connect to address 12.17.140.247: refused
000034: : telnet: connect to address 12.17.140.247: refused
000035: #: telnet: connect to address 12.17.140.247: refused
000036: : telnet: connect to address 12.17.140.247: refused
000037: time: telnet: connect to address 12.17.140.247: refused
000038: rap: telnet: connect to address 12.17.140.247: refused
000039: rlp: telnet: connect to address 12.17.140.247: refused
000040: : telnet: connect to address 12.17.140.247: refused
000041: graphics: telnet: connect to address 12.17.140.247: refused
000042: nameserver: telnet: connect to address 12.17.140.247: refused
000043: nicname: telnet: connect to address 12.17.140.247: refused
000044: mpm-flags: telnet: connect to address 12.17.140.247: refused
000045: mpm: telnet: connect to address 12.17.140.247: refused
000046: mpm-snd: telnet: connect to address 12.17.140.247: refused
000047: ni-ftp: telnet: connect to address 12.17.140.247: refused
000048: auditd: telnet: connect to address 12.17.140.247: refused
000049: tacacs: telnet: connect to address 12.17.140.247: refused
000050: re-mail-ck: telnet: connect to address 12.17.140.247: refused
000051: la-maint: telnet: connect to address 12.17.140.247: refused
000052: xns-time: telnet: connect to address 12.17.140.247: refused
000053: domain: Connection closed by foreign host.
000054: xns-ch: telnet: connect to address 12.17.140.247: refused
000055: isi-gl: telnet: connect to address 12.17.140.247: refused
000056: xns-auth: telnet: connect to address 12.17.140.247: refused
000057: mtp: telnet: connect to address 12.17.140.247: refused
000058: xns-mail: telnet: connect to address 12.17.140.247: refused
000059: #: telnet: connect to address 12.17.140.247: refused
000060: : telnet: connect to address 12.17.140.247: refused
000061: ni-mail: telnet: connect to address 12.17.140.247: refused
000062: acas: telnet: connect to address 12.17.140.247: refused
000063: whois++: telnet: connect to address 12.17.140.247: refused
000064: covia: telnet: connect to address 12.17.140.247: refused
5. TCP PACKET DUMP ON ISP CUSTOMER PPP LINK, DURING SCAN ABOVE, ITEM 4.
--------------------------------------------------------------------
SSH PORT 22 PACKETS DROPPED EN ROUTE TO ISP CUSTOMER
----------------------------------------------------
FROM: ELSEWHERE ON THE INTERNET
TO: ISP CUSTOMER (me)
03:59:06.516534 209.165.144.121.1505 > 12.17.140.247.1
03:59:06.886637 209.165.144.121.1506 > 12.17.140.247.2
03:59:07.246400 209.165.144.121.1507 > 12.17.140.247.3
03:59:07.610010 209.165.144.121.1508 > 12.17.140.247.4
03:59:07.966370 209.165.144.121.1509 > 12.17.140.247.5
03:59:08.357831 209.165.144.121.1510 > 12.17.140.247.6
03:59:08.706611 209.165.144.121.1511 > 12.17.140.247.7
03:59:09.066626 209.165.144.121.1512 > 12.17.140.247.8
03:59:09.426486 209.165.144.121.1513 > 12.17.140.247.9
03:59:09.791362 209.165.144.121.1514 > 12.17.140.247.10
03:59:10.156460 209.165.144.121.1515 > 12.17.140.247.11
03:59:10.526867 209.165.144.121.1516 > 12.17.140.247.12
03:59:10.897810 209.165.144.121.1517 > 12.17.140.247.13
03:59:11.267910 209.165.144.121.1518 > 12.17.140.247.14
03:59:11.626894 209.165.144.121.1519 > 12.17.140.247.15
03:59:11.986606 209.165.144.121.1520 > 12.17.140.247.16
03:59:12.341435 209.165.144.121.1521 > 12.17.140.247.17
03:59:12.701428 209.165.144.121.1522 > 12.17.140.247.18
03:59:13.061399 209.165.144.121.1523 > 12.17.140.247.19
03:59:13.426573 209.165.144.121.1524 > 12.17.140.247.20
03:59:13.786681 209.165.144.121.1525 > 12.17.140.247.21
*** MISSING *** SSH PACKET DROPPED UPSTREAM FROM ISP CUSTOMER <--
03:59:26.969949 209.165.144.121.1527 > 12.17.140.247.23
03:59:27.780189 209.165.144.121.1528 > 12.17.140.247.24
03:59:28.126794 209.165.144.121.1529 > 12.17.140.247.25
03:59:28.520060 209.165.144.121.1530 > 12.17.140.247.26
03:59:28.891354 209.165.144.121.1531 > 12.17.140.247.27
03:59:29.247060 209.165.144.121.1532 > 12.17.140.247.28
03:59:29.626636 209.165.144.121.1533 > 12.17.140.247.29
03:59:29.986735 209.165.144.121.1534 > 12.17.140.247.30
03:59:30.346873 209.165.144.121.1535 > 12.17.140.247.31
03:59:30.706734 209.165.144.121.1536 > 12.17.140.247.32
03:59:31.066721 209.165.144.121.1537 > 12.17.140.247.33
03:59:31.426631 209.165.144.121.1538 > 12.17.140.247.34
03:59:31.787932 209.165.144.121.1539 > 12.17.140.247.35
03:59:32.146709 209.165.144.121.1540 > 12.17.140.247.36
03:59:32.596823 209.165.144.121.1541 > 12.17.140.247.37
03:59:32.956694 209.165.144.121.1542 > 12.17.140.247.38
03:59:33.316713 209.165.144.121.1543 > 12.17.140.247.39
03:59:33.666925 209.165.144.121.1544 > 12.17.140.247.40
03:59:34.028173 209.165.144.121.1545 > 12.17.140.247.41
03:59:34.386707 209.165.144.121.1546 > 12.17.140.247.42
03:59:34.766965 209.165.144.121.1547 > 12.17.140.247.43
03:59:35.147038 209.165.144.121.1548 > 12.17.140.247.44
03:59:35.511716 209.165.144.121.1549 > 12.17.140.247.45
03:59:35.890128 209.165.144.121.1550 > 12.17.140.247.46
03:59:36.246799 209.165.144.121.1551 > 12.17.140.247.47
03:59:36.607022 209.165.144.121.1552 > 12.17.140.247.48
03:59:36.967013 209.165.144.121.1553 > 12.17.140.247.49
03:59:37.327023 209.165.144.121.1554 > 12.17.140.247.50
03:59:37.706903 209.165.144.121.1555 > 12.17.140.247.51
03:59:38.086913 209.165.144.121.1556 > 12.17.140.247.52
03:59:38.446800 209.165.144.121.1557 > 12.17.140.247.53
03:59:38.856761 209.165.144.121.1558 > 12.17.140.247.54
03:59:39.236904 209.165.144.121.1559 > 12.17.140.247.55
03:59:39.616774 209.165.144.121.1560 > 12.17.140.247.56
03:59:39.981737 209.165.144.121.1561 > 12.17.140.247.57
03:59:40.370067 209.165.144.121.1562 > 12.17.140.247.58
03:59:40.740090 209.165.144.121.1563 > 12.17.140.247.59
03:59:41.096854 209.165.144.121.1564 > 12.17.140.247.60
03:59:42.200213 209.165.144.121.1565 > 12.17.140.247.61
03:59:42.546838 209.165.144.121.1567 > 12.17.140.247.62
03:59:42.921738 209.165.144.121.1568 > 12.17.140.247.63
03:59:43.297091 209.165.144.121.1569 > 12.17.140.247.64
---
Machines elsewhere on the internet can SSH each other
fine (2). I can SSH locally just fine (3). I can
also SSH to any machine on the Internet.
But a machine elsewhere on the Internet that tries to
SSH me is not able to establish a connection (4).
And the TCP data shows that in fact, the SSH packets
are dropped before they ever make it to me (5).
ISP RESPONSE:
------------
> We do not block any ports whatsoever for our customers connections. The
> connection from you to anyone on the internet is wide open, and also
> from anyone on the internet to you is also wide open.
Thank you for your reply.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200303222332.h2MNWDdJ012385>