LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Hmmm (http://www.linuxquestions.org/questions/linux-security-4/hmmm-5238/)

mikeyt_3333 08-08-2001 05:05 PM

Hmmm
 
Any ideas what this line I pulled from tcpdump output means?

15:14:04.377453 eth0 < 111.111.111.111 > ME.ME.ME.ME: icmp: host 222.222.222.222 unreachable - admin prohibited filter

The ip addresses have been changed for obvious reasons, but I used 111.111.111.111 and 222.222.222.222 to indicate that these were actually two different IP's and not the same. Let me know what you think, thanks.

Mike.

raz 08-09-2001 05:23 AM

Is it a VPN link ?
Is the 222.222.222.222 ip the same as the destination address that the 111.111.111.111 ip client tried to contact, or is it a router/firewall in the path ?

Basically TCP dump is showing you an error code 13 "not ICMP type 13" It's error code 13 ICMP type 11.
"Communication Administratively Prohibited" - generated if a router cannot forward a packet due to administrative filtering.

I assume a firewall is not responding or a protocol used in the connection is not getting through, due to non support or blocking by a filter of some sort, on that 222.222.222.222 system.

for example: ipsec uses UDP as part of its ISAKMPD key exchange and the firewall might be rejecting it with a timeout.

Anyway without more information on what's asking the request to where it's just speculation.

/Raz

mikeyt_3333 08-09-2001 11:33 AM

222.222.222.222 is completely different thant 111.111.111.111. They aren't even a part of the same block, and they don't look up as the same corp oration or anything. That is why it is strange to me, cause the request comes into my box from 222.222.222.222, and then it looks like it is trying to leave my box to 111.111.111.111, each IP is unique in this case.

Mike.

raz 08-10-2001 05:02 AM

It looks like a filter problem as in a firewall or other packet filtering software problem.
From the TCPdump output it's the one sending a ICMP error codes back to your 111.111.111.111 box, your box replies to these errors.
But with only one line of output from tcpdump it's not easy to tell.

If you come into a forum in the first place asking advise, you have to be prepared to give us the information we need to help you diagnose it.
It's like a mechanic trying to fix someone's car over the phone "which is already difficult", where the owner tells you it's making a funny pinging noise, but they don't tell you what's making the noise, what area of the car the noise comes from or what model car it is.

Your not going to get an answer that's going to help you very much are you.
/Raz

mikeyt_3333 08-10-2001 11:43 AM

It isn't a VPN, this is a dedicated hosted box, I manage it remotely. It runs as a web server, Apache, and that is it. The only other access to this box, is me through SSH or FTP, and some email accounts. I am just curious what causes this kind of information in my logs. I am more looking for an explination, or breakdown of this message, like the direction of the message, who it came from etc..., and why it looks like it comes from one IP, through me, to a different IP. I would like to learn more about understanding how the logs, and tcpdump output works

My hosts network has a firewall, so it is possible it isn't letting this info out, but the ip's in this message don't resolve to my hosts corp. nor do they match their general IP blocks.

Sorry if I made this more difficult than it had to be.

Thanks alot!
Mike.

raz 08-13-2001 05:33 AM

Ok I've figured it out now.

It's the response from the system that your sniffing with tcpdump, to the 222.222.222.222 system.

Basically the 222.222.222.222 system requested something like an Echo reply or time exceed ICMP type to the 111.111.111.111 address.
Your system is configured to reject them and responded, telling it that the request it asked for is not allowed. "that's the message your seeing"

So on your firewall make sure that all ICMP blockers Deny the packets not reject them.
Sorry don't know where you can find info on TCPdump.

/Raz


All times are GMT -5. The time now is 04:22 AM.