no route to host but ping ok - Networking

This is a discussion on no route to host but ping ok - Networking ; Hi. I have to ssh to a client machine. I suppose there is a configuration problem on there firewall but I don't understand the following : their machine is on ip x.y.z.85. If I try ssh or telnet on port ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: no route to host but ping ok

  1. no route to host but ping ok

    Hi.

    I have to ssh to a client machine.
    I suppose there is a configuration problem on there firewall but I
    don't understand the following :

    their machine is on ip x.y.z.85.
    If I try ssh or telnet on port 22, I have : No route to host.
    I always thought this is a routing problem.
    What I don't understand is that, on the same ip, ping works.

    So, for my comprehension, is it possible to have a routing that
    depends of the protocol ?
    On my linux, I wouldn't know how to do that ...


  2. Re: no route to host but ping ok

    In article <1192112778.431671.174050@19g2000hsx.googlegroups.c om>,
    mike.baroukh@gmail.com says...
    > Hi.
    >
    > I have to ssh to a client machine.
    > I suppose there is a configuration problem on there firewall but I
    > don't understand the following :
    >
    > their machine is on ip x.y.z.85.
    > If I try ssh or telnet on port 22, I have : No route to host.
    > I always thought this is a routing problem.
    > What I don't understand is that, on the same ip, ping works.
    >
    > So, for my comprehension, is it possible to have a routing that
    > depends of the protocol ?
    > On my linux, I wouldn't know how to do that ...


    On some linux distribution, the default behavior of iptables is to
    answer "no route to host" instead of droping the packets.

    Check the iptables rules on the server.

  3. Re: no route to host but ping ok

    Hello,

    Miss Terre a écrit :
    > mike.baroukh@gmail.com says...
    >
    >>I have to ssh to a client machine.
    >>I suppose there is a configuration problem on there firewall but I
    >>don't understand the following :
    >>
    >>their machine is on ip x.y.z.85.
    >>If I try ssh or telnet on port 22, I have : No route to host.
    >>I always thought this is a routing problem.


    "No route to host" is the consequence of receiving an ICMP "host
    unreachable" error message. This usually means that the router which
    sent the ICMP message knows how to route the packet but the ARP
    resolution for the next hop address failed. A router which has no route
    for the destination would send an ICMP "network unreachable" error
    message instead.

    >>What I don't understand is that, on the same ip, ping works.


    Maybe there is some destination NAT (DNAT) at work on x.y.z.85 which
    redirects the port 22/TCP to a masqueraded host, and that host is
    unreachable.

    You could do some testing with ICMP and UDP traceroute, and
    tcptraceroute on various ports includind 22.

    >>So, for my comprehension, is it possible to have a routing that
    >>depends of the protocol ?
    >>On my linux, I wouldn't know how to do that ...


    Linux can do that with either advanced routing or destination NAT.

    > On some linux distribution, the default behavior of iptables is to
    > answer "no route to host" instead of droping the packets.


    Well, this looks like a mistake. ICMP "port unreachable" would be a more
    appropriate reply. And in fact it is the iptables REJECT target default
    reply type.

  4. Re: no route to host but ping ok

    mbaroukh writes:

    >Hi.


    >I have to ssh to a client machine.
    >I suppose there is a configuration problem on there firewall but I
    >don't understand the following :


    >their machine is on ip x.y.z.85.
    >If I try ssh or telnet on port 22, I have : No route to host.
    >I always thought this is a routing problem.
    >What I don't understand is that, on the same ip, ping works.


    Either your or their firewall blocks ssh and telnet, but not ping.


    >So, for my comprehension, is it possible to have a routing that
    >depends of the protocol ?
    >On my linux, I wouldn't know how to do that ...



  5. Re: no route to host but ping ok

    On Thu, 11 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in
    article <1192112778.431671.174050@19g2000hsx.googlegroups.c om>, mbaroukh wrote:

    NOTE: Posting from groups.google.com (or some web-forums) dramatically
    reduces the chance of your post being seen. Find a real news server.

    >I have to ssh to a client machine.
    >I suppose there is a configuration problem on there firewall but I
    >don't understand the following :
    >
    >their machine is on ip x.y.z.85.
    >If I try ssh or telnet on port 22, I have : No route to host.
    >I always thought this is a routing problem.


    Use your favorite packet sniffer (tcpdump, ethereal, wireshark, or
    what-ever) and see the packet exchange. Something like

    your.host.IP:2939 -> x.y.z.85:22 SYN
    some.router -> your.host.IP:2939 ICMP Type 3 Code Something

    Your system sends a SYN packet to start the conversation. Some router
    sends back a refusal. Which router is telling you to sod off?

    >What I don't understand is that, on the same ip, ping works.


    Yes, some people don't know how to configure a firewall.

    >So, for my comprehension, is it possible to have a routing that
    >depends of the protocol ?


    Sure. Read any of the HOWTOs that deal with firewall rules such as

    85507 Aug 20 2001 Firewall-HOWTO
    708351 Nov 14 2005 IP-Masquerade-HOWTO
    17605 Jul 21 2004 Masquerading-Simple-HOWTO
    203891 Sep 29 2004 NET3-4-HOWTO
    278012 Jul 23 2002 Security-Quickstart-HOWTO

    or the extensive HOWTOs available from the author of the Linux network
    filtering code at http://www.netfilter.org/documentation/HOWTO/. You
    will find there are lots of ways to filter things.

    Old guy

+ Reply to Thread