How does ping know that my packets are filtered?
I'm customer of an Irish ISP, eircom, which has started censoring the pirate bay.
When I try to ping 194.71.107.15 which is the IP address of thepiratebay.com, I get this output:
PING 194.71.107.15 (194.71.107.15) 56(84) bytes of data.
From 159.134.124.176 icmp_seq=1 Packet filtered
From 159.134.124.176 icmp_seq=2 Packet filtered
From 159.134.124.176 icmp_seq=3 Packet filtered
How does ping know that's it's filtered? How can I learn more about how it's filtered. My ping/nmap foo is weak.
Ping determines its printed message depending on the ICMP control message it receives in response to an echo-request.
At a guess, I would imagine that whatever filtering device Eircom are using to block access to The Pirate Bay is generating either ICMP Type 3, Code 9 (network administratively prohibited) or Type 3, Code 10 (host administratively prohibited) messages in response to traffic directed to The Pirate Bay's IP address.
To confirm, I would suggest running a packet capture (using Wireshark or similar) and looking at the ICMP response packets you are receiving back from 159.134.124.176.
After looking at
ping.c from iputils-ping Debian etch package, I see:
/*
*
* pr_icmph --
* Print a descriptive string about an ICMP header.
*/
void pr_icmph(__u8 type, __u8 code, __u32 info, struct icmphdr *icp)
{
...
case ICMP_PKT_FILTERED:
printf("Packet filtered\n");
break;
...
It looks like iptables reject adds this in the response, see
http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/net/ipv4/netfilter/ipt_REJECT.c
and search for "ICMP_PKT_FILTERED", though it may not be the only case that would make ping reply with such message.
That means that device 159.134.124.176 is blocking ICMP (Ping) packets and replying back to you with that information. The possible ICMP replies are listed in this Wiki article.
ping receives a ICMP_DEST_UNREACH and depending on the type of returned icmp package returned ping knows that it's filtered.