ICMP and ip prohibit rule

Hi,
According to "man ip" , we can add a prohibit rule like thus:

ip rule add from 192.168.0.10 to 192.168.0.180 prohibit

According to the man page, this should cause an ICMP message
to be sent when trying to conenct from 192.168.0.180 to 192.168.0.10.
Yet when I tried it, and ran "ping 192.168.0.180", the ping answered
and I
did not got any ICMP. Any idea why ?
rgs,
Mark

Dnia Thu, 21 May 2009 04:46:53 -0700 (PDT), (E-Mail Removed) napisa³(a):

> Hi,
> According to "man ip" , we can add a prohibit rule like thus:
>
> ip rule add from 192.168.0.10 to 192.168.0.180 prohibit
>
> According to the man page, this should cause an ICMP message
> to be sent when trying to conenct from 192.168.0.180 to 192.168.0.10.
> Yet when I tried it, and ran "ping 192.168.0.180", the ping answered
> and I
> did not got any ICMP. Any idea why ?
> rgs,
> Mark

This ping was send through this router?

Hello,

Lukasz Olesiejuk a écrit :
> (E-Mail Removed) wrote :
>
>> ip rule add from 192.168.0.10 to 192.168.0.180 prohibit
>>
>> According to the man page, this should cause an ICMP message
>> to be sent when trying to connect from 192.168.0.180 to 192.168.0.10.

No, from 192.168.0.10 to 192.168.0.180.

>> Yet when I tried it, and ran "ping 192.168.0.180", the ping answered
>> and I did not got any ICMP. Any idea why ?
>
> This ping was send through this router?

The OP didn't mention any router.
The right question is : on which node is that rule ? It won't have any
effect if it is on 192.168.0.180 because packets received for a local
destination are processed by the 'local' routing table which is assigned
to rule 0 before any other rules.

Hello,
Following your answer I tried this:

ip rule add from 192.168.0.180 to 192.168.0.10 prohibit
and ping from 192.168.0.180 to 192.168.0.10 I do get
"connect: Network is unreachable" message. But I sniffed for all ICMP
traffic on
192.168.0.180 and there was no ICMP packet.

I would appreciate if anybody can give a simple example where you use
a prohibit rule and send some ping/start ssh etc, and you can catch an
ICMP packet as a result.
(According to "man ip", it should be a speical kind of ICMP message:
"communication administratively prohibited")


Rgs,
Mark

On May 22, 12:45 am, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
wrote:
> Hello,
>
> Lukasz Olesiejuk a écrit :
>
> > markr...@gmail.com wrote :
>
> >> ip rule add from 192.168.0.10 to 192.168.0.180 prohibit
>
> >> According to the man page, this should cause an ICMP message
> >> to be sent when trying to connect from 192.168.0.180 to 192.168.0.10.
>
> No, from 192.168.0.10 to 192.168.0.180.
>
> >> Yet when I tried it, and ran "ping 192.168.0.180", the ping answered
> >> and I did not got any ICMP. Any idea why ?
>
> > This ping was send through this router?
>
> The OP didn't mention any router.
> The right question is : on which node is that rule ? It won't have any
> effect if it is on 192.168.0.180 because packets received for a local
> destination are processed by the 'local' routing table which is assigned
> to rule 0 before any other rules.

(E-Mail Removed) a écrit :
>
> ip rule add from 192.168.0.180 to 192.168.0.10 prohibit
> and ping from 192.168.0.180 to 192.168.0.10 I do get
> "connect: Network is unreachable" message. But I sniffed for all ICMP
> traffic on
> 192.168.0.180 and there was no ICMP packet.

What ICMP packet ?

> I would appreciate if anybody can give a simple example where you use
> a prohibit rule and send some ping/start ssh etc, and you can catch an
> ICMP packet as a result.
> (According to "man ip", it should be a speical kind of ICMP message:
> "communication administratively prohibited")

If the rule is on the sender, then it returns an error when a local
process tries to send a packet that matches it. It sends an ICMP error
message to the sender only when it is on an intermediate router.