On 7/20/2011 5:51 AM, Timothy Murphy wrote:
>
> Further to my question,
> how can I determine if it is the Billion 5200S modem/router
> that is preventing pings, or if it is the CentOS-6 MicroServer
> attached to the modem/router?
>
> I don't see any reference to ICMP on the modem web-page.
>
> On the other hand the CentOS firewall seems to allow ICMP
> unless explicitly rejected (which I haven't done).
>
> Surely it would be slightly odd for a modem/router
> to reject pings by default?
Do you only have one public IP? This sort of router is generally
configured to do one->many source nat for a private network behind it.
For tcp and udp packets there are more specified fields (port/socket
info) that can be used to map inbound packets to the right private
target either with configured entries or the dynamically maintained NAT
table. But there's no way to distinguish whether an inbound ping should
be answered by the modem itself or passed through if you have specified
a default 'dmz' target. GRE packets (as used in pptp or router tunnels)
have a similar problem of not having documented info that can be used to
track the source NAT when there are multiple active sessions, although
some routers manage to do it using microsoft conventions in the packets.
> Is there any simple way, short of using something like ethereal,
> of determining if ICMP packets are reaching the computer,
> and being rejected there?
A sniffer like tcpdump or wireshare is the simple way. However, note
that these see packets before they hit the host's iptables firewall so
even if you see packets arriving, they may not be reaching any applications.
--
Les Mikesell
lesmikesell at gmail.com