no route to host but ping ok

10-11-2007, 02:26 PM

Hi.

I have to ssh to a client machine.
I suppose there is a configuration problem on there firewall but I
don't understand the following :

their machine is on ip x.y.z.85.
If I try ssh or telnet on port 22, I have : No route to host.
I always thought this is a routing problem.
What I don't understand is that, on the same ip, ping works.

So, for my comprehension, is it possible to have a routing that
depends of the protocol ?
On my linux, I wouldn't know how to do that ...

10-11-2007, 02:34 PM

In article <(E-Mail Removed). com>,
(E-Mail Removed) says...
> Hi.
>
> I have to ssh to a client machine.
> I suppose there is a configuration problem on there firewall but I
> don't understand the following :
>
> their machine is on ip x.y.z.85.
> If I try ssh or telnet on port 22, I have : No route to host.
> I always thought this is a routing problem.
> What I don't understand is that, on the same ip, ping works.
>
> So, for my comprehension, is it possible to have a routing that
> depends of the protocol ?
> On my linux, I wouldn't know how to do that ...

On some linux distribution, the default behavior of iptables is to
answer "no route to host" instead of droping the packets.

Check the iptables rules on the server.

10-11-2007, 03:24 PM

Hello,

Miss Terre a écrit :
> (E-Mail Removed) says...
>
>>I have to ssh to a client machine.
>>I suppose there is a configuration problem on there firewall but I
>>don't understand the following :
>>
>>their machine is on ip x.y.z.85.
>>If I try ssh or telnet on port 22, I have : No route to host.
>>I always thought this is a routing problem.

"No route to host" is the consequence of receiving an ICMP "host
unreachable" error message. This usually means that the router which
sent the ICMP message knows how to route the packet but the ARP
resolution for the next hop address failed. A router which has no route
for the destination would send an ICMP "network unreachable" error
message instead.

>>What I don't understand is that, on the same ip, ping works.

Maybe there is some destination NAT (DNAT) at work on x.y.z.85 which
redirects the port 22/TCP to a masqueraded host, and that host is
unreachable.

You could do some testing with ICMP and UDP traceroute, and
tcptraceroute on various ports includind 22.

>>So, for my comprehension, is it possible to have a routing that
>>depends of the protocol ?
>>On my linux, I wouldn't know how to do that ...

Linux can do that with either advanced routing or destination NAT.

> On some linux distribution, the default behavior of iptables is to
> answer "no route to host" instead of droping the packets.

Well, this looks like a mistake. ICMP "port unreachable" would be a more
appropriate reply. And in fact it is the iptables REJECT target default
reply type.

10-11-2007, 05:09 PM

mbaroukh <(E-Mail Removed)> writes:

>Hi.

>I have to ssh to a client machine.
>I suppose there is a configuration problem on there firewall but I
>don't understand the following :

>their machine is on ip x.y.z.85.
>If I try ssh or telnet on port 22, I have : No route to host.
>I always thought this is a routing problem.
>What I don't understand is that, on the same ip, ping works.

Either your or their firewall blocks ssh and telnet, but not ping.

>So, for my comprehension, is it possible to have a routing that
>depends of the protocol ?
>On my linux, I wouldn't know how to do that ...

10-12-2007, 08:08 PM

On Thu, 11 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed). com>, mbaroukh wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>I have to ssh to a client machine.
>I suppose there is a configuration problem on there firewall but I
>don't understand the following :
>
>their machine is on ip x.y.z.85.
>If I try ssh or telnet on port 22, I have : No route to host.
>I always thought this is a routing problem.

Use your favorite packet sniffer (tcpdump, ethereal, wireshark, or
what-ever) and see the packet exchange. Something like

your.host.IP:2939 -> x.y.z.85:22 SYN <mumble, mumble, fraz>
some.router -> your.host.IP:2939 ICMP Type 3 Code Something

Your system sends a SYN packet to start the conversation. Some router
sends back a refusal. Which router is telling you to sod off?

>What I don't understand is that, on the same ip, ping works.

Yes, some people don't know how to configure a firewall.

>So, for my comprehension, is it possible to have a routing that
>depends of the protocol ?

Sure. Read any of the HOWTOs that deal with firewall rules such as

85507 Aug 20 2001 Firewall-HOWTO
708351 Nov 14 2005 IP-Masquerade-HOWTO
17605 Jul 21 2004 Masquerading-Simple-HOWTO
203891 Sep 29 2004 NET3-4-HOWTO
278012 Jul 23 2002 Security-Quickstart-HOWTO

or the extensive HOWTOs available from the author of the Linux network
filtering code at http://www.netfilter.org/documentation/HOWTO/. You
will find there are lots of ways to filter things.

Old guy

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
php fsockopen problem (no route to host)	kees hessels	Network Routers	0	07-06-2006 11:16 AM
No route to host	McHenry	Linux Networking	4	05-30-2006 04:24 AM
No route to host!?	slzang	Linux Networking	3	10-13-2004 09:40 AM
No route to host	Turi	Linux Networking	1	10-11-2004 04:01 PM
Can ping but cannot telnet ("no route to host")	Robbie	Linux Networking	6	09-14-2003 10:49 AM