# [SOLVED] Problem with ICMP Redirects



## barrett.w82

I am hoping someone could help me with the following or at least shed some light on the topic for me.

Any Hints, tips or pointers would be appreciated.

I connect to the internet via ADSL (Broadband).

The router we are using is a Cisco 800 series router (877).

Now the problem I am having is as follows.

The router does not have dhcp enabled on it, so in order to connect to the internet, you have to configure your computer with an ip address in the 192.168.1.x range, you have to configure your gateway as: 192.168.1.254, which is also the router's internal ip address, and lastly you have to configure your dns addresses as 196.28.80.139 and 196.28.80.140, which is our isp's dns addresses.

Now the problem I am having is as follows:

When you configure this on any windows based pc, it works and you are able to get on the internet.

However, when you do the same on any linux based system, you can't get out onto the internet and when you try to run a ping to any external addresses I get the following reply:


linux-d28t:~ # ping 155.232.240.19
PING 155.232.240.19 (155.232.240.19) 56(84) bytes of data.
From 192.168.1.254: icmp_seq=2 Redirect Host(New nexthop: 192.168.1.1)
From 192.168.1.254: icmp_seq=3 Redirect Host(New nexthop: 192.168.1.1)
From 192.168.1.254 icmp_seq=2 Destination Host Unreachable
From 192.168.1.254 icmp_seq=3 Destination Host Unreachable
From 192.168.1.254: icmp_seq=4 Redirect Host(New nexthop: 192.168.1.1)



Now, 192.168.1.1 doesn't exist on the network.
I do not have access to the cisco router, as it was pre-setup by our isp.
I have tried to contact the isp in order to resolve the issue, but up and to this point, I am still strugling and the issue is still persisting.

If I take the linux box anywhere else, give it an IP, configure the Gateway and dns it is able to access the internet, without any problems, it only does this through the cisco router.

Through any other adsl router, it works just fine.

So I know that there is nothing wrong with the linux box.

I've Tried OpenSuse, SME server, Endian, and they all seem to have the same issue.

To my opinion the Cisco Router is at fault or incorrectly configured, but like I have said, I have no access to the router, and the ISP to this point have been unable to rectify the issue.

On the linux side I have tried disabling ICMP Redirects with commands like the following:

Server# /sbin/sysctl -w net.ipv4.conf.all.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv4.conf.all.send_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.all.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.all.send_redirects = 0


Server# /sbin/sysctl -w net.ipv4.conf.eth0.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv4.conf.eth0.send_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.eth0.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.eth0.send_redirects = 0


Server# echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects [for IPv6]
Server# echo 0 > /proc/sys/net/ipv6/conf/all/send_redirects [for IPv6]


Server# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_redirects [for IPv6]
Server# echo 0 > /proc/sys/net/ipv6/conf/eth0/send_redirects [for IPv6]


I have tried to Edit the /etc/sysctl.conf file and add the following lines:


net.ipv4.conf.all.accept_redirects = 0 [for IPv4]
net.ipv4.conf.all.send_redirects = 0 [for IPv4]
net.ipv6.conf.all.accept_redirects = 0 [for IPv6]
net.ipv6.conf.all.send_redirects = 0 [for IPv6]


net.ipv4.conf.eth0.accept_redirects = 0 [for IPv4]
net.ipv4.conf.eth0.send_redirects = 0 [for IPv4]
net.ipv6.conf.eth0.accept_redirects = 0 [for IPv6]
net.ipv6.conf.eth0.send_redirects = 0 [for IPv6]

I have event tried the following:

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP

in order to disable icmp requests, but nothing seems to work.

Now my question is:

Is there anything else I can do, on the Linux side, to try and get it working? Seeing as I can do nothing on the router side. 

Any help would be greatly appreciated.


----------



## hal8000

*Re: Problem with ICMP Redirects*

From your linux machine running Suse 11.4 post the output of:

ifconfig eth0

route -n

cat /etc/resolv.conf

I dont think you have put your nameservers in resolv.conf but I'll wait for your outputs.

In addition, you don't have to use your ISP's DNS servers. You can use, OpenDNS or googles DNS server. I find googles DNS server 8.8.4.4 mush faster than my own ISP at lookup so am using google now.


----------



## barrett.w82

*Re: Problem with ICMP Redirects*

Hi, here is the outputs you asked for:



linux-d28t:~ # ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:19:66:315:69 
inet addr:192.168.1.222 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::219:66ff:fe31:d569/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:66 errors:0 dropped:0 overruns:0 frame:0
TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000 
RX bytes:5625 (5.4 Kb) TX bytes:5353 (5.2 Kb)
Interrupt:22 Base address:0x6c00 

linux-d28t:~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
linux-d28t:~ # cat /etc/resolv.conf
### /etc/resolv.conf file autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
# NETCONFIG_DNS_STATIC_SEARCHLIST
# NETCONFIG_DNS_STATIC_SERVERS
# NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
# NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
# Note: Manual change of this file disables netconfig too, but
# may get lost when this file contains comments or empty lines
# only, the netconfig settings are same with settings in this
# file and in case of a "netconfig update -f" call.
#
### Please remove (at least) this line when you modify the file!
nameserver 196.28.80.139
nameserver 196.28.80.140
linux-d28t:~ # 




Thanks for the advice, I have used OpenDns's Name servers in the past, haven't really ever checked to see if it resolves faster than the name servers from our isp. Haven't really tried Google’s before, will try it out. Thanks.


----------



## hal8000

*Re: Problem with ICMP Redirects*

It looks as though the fault may be within the Cisco router, the route, gw and resolv.conf look ok.

You can try disabling IPtables but I dont think it will have any effect,

Its usually

/etc/init.d/iptables save
/etc/init.t/iptables stop


to stop Iptables and save your config. Try browsing, then start Iptables again:

/etc/init.d/iptables start


(All commands as root)


----------



## barrett.w82

*Re: Problem with ICMP Redirects*

Thanks, I will try that and let you know.

Thanks for the help.


----------



## barrett.w82

*Re: Problem with ICMP Redirects*

I tried what you suggested.

At first I wasn't able to start or stop IPtables or anything like that.

I just got a reply like the following when trying to stop IPtables:



iptables stop
Bad argument `stop'
Try `iptables -h' or 'iptables --help' for more information.




and when looking up the options it gave me the following:




iptables --help
iptables v1.4.10

Usage: iptables -[AD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
[!] --proto -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.







So I decided to do some research and found that OpenSuse at default uses SuSEfirewall2.

I tried stopping SuSEfirewall2 in the following manner:




linux-d28t:/ # rcSuSEfirewall2 stop
Unloading firewall rules done
linux-d28t:/ # SuSEfirewall2 stop
SuSEfirewall2: Firewall rules unloaded.



Just for some extra info: here is the options for SuSEfirewall2:




linux-d28t:/ # SuSEfirewall2 --help
SuSEfirewall2 3.6, Copyright (C) 2005 SUSE LINUX Products GmbH

stateful packet filter rules generator for iptables.

/sbin/SuSEfirewall2 start|test|debug [file FILENAME]
/sbin/SuSEfirewall2 basic|stop|close|status|help
/sbin/SuSEfirewall2 open ZONE TYPE services...
/sbin/SuSEfirewall2 on|off

Options:
start generate and load the firewall filter rules from 
/etc/sysconfig/SuSEfirewall2
stop unload all filter rules
close no incoming network traffic except bootp+ping (for boot security)
basic set basic filter rules that drop all incoming access
test generate and load the filter rules but do not drop any packet but log
to syslog anything which *would* be denied
status print the output of "iptables -nvL"
debug print the iptables command to stdout instead of executing them
log show SuSEfirewall2 related syslog messages in a better readable format
help this output
open open the specified services in the specified zone. You need to
restart SuSEfirewall2 for changes to take effect.
on add SuSEfirewall2 initscripts to boot process and start
off remove SuSEefirwall2 initscripts from boot process and stop

file FILENAME same as "start" but load alternate config file FILENAME

Calling /sbin/SuSEfirewall2 without any option is the same as the "start" option.
The "file FILENAME" option may be used with the start, test and debug options.
linux-d28t:/ # rcSuSEfirewall2 --help
Usage: /sbin/rcSuSEfirewall2 {start|stop|status|restart|reload|force-reload}






So according to the replies I got It seemed to stop the service, however it didn't seem to change anything. The problem still persisted.


Any Ideas or suggestions?


----------



## hal8000

*Re: Problem with ICMP Redirects*

One more suggestion, the output from ifconfig shows your linux machine as
192.168.1.222

The last octet seems unusually high.

Check ipconfig from both windows machines that work
If their IP address is similar e.g. 192.168.1.221 then I am unsure what the problem is.

If the windows machines are 192.168.1.2 or 192.168.1.3 then there may be some configuration in your cisco router.
You also stated in your first post that the Cisco does not uses DHCP for the LAN so
it may be worth checking your router config.

You could prove this by finding out your windows IP address, disconnecting that machine from the network, then staticly assigning the linux box the same IP address and then see it has internet connectivity.


----------



## barrett.w82

*Re: Problem with ICMP Redirects*

I Tried what you suggested, but it didn't seem to help.

I've got two a couple of windows machines on the network, the one's IP is 192.168.1.253 and one of the others has got an ip of 192.168.1.13.

And they both seem to be ok.

So I took the one with the ip of 192.168.1.13 offline and configured the suse box with 192.168.1.13.

But it didn't seem to change anything.

I've also tried contacting the ISP again, and they checked a couple of things on their side, but I am not sure what they checked, seeing as I do not have access to the cisco router, as it was pre-setup by our ISP. 

But it didn't seem to help, as I am still having the same problem.

I think I will ask them, If they would be able to enable dhcp on the cisco router and maybe set it as 192.168.1.1 instead of 192.168.1.254 and see if that maybe wouldn't resolve the issue.

Will let you know what happens.

Thanks again for all the help.

Have a great weekend.


----------



## barrett.w82

*Re: Problem with ICMP Redirects*

Good news.

I mailed my ISP to change the router internal address from 192.168.1.254 to 192.168.1.1 and to also make 192.168.1.1 the default gateway.

Furthermore I requested them to enable dhcp on the router, and almost immediately it all started working.

Now weather using manual ip's or dhcp it routes me just fine, and I am now able to ge onto the internet.

I consider this case closed.

Thanks yet again for all your help.


----------



## hal8000

*Re: Problem with ICMP Redirects*

Thanks for letting us know, just edit the title on your first post and add [solved]
It must have been something in the router as we suspected earlier


----------



## barrett.w82

Thanks again, marked it as solved just now.

Very glad to not have to battle with this one anymore.


----------

