# ping: sendmsg: Operation not permitted

## xtz

Okay, it's not the usual iptables/shorewall problem.

```
vlanget ~ # ping dir.bg -A

64 bytes from dir.bg (194.145.63.12): icmp_seq=40 ttl=60 time=4.67 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=41 ttl=60 time=4.90 ms

ping: sendmsg: Operation not permitted

ping: sendmsg: Operation not permitted

64 bytes from dir.bg (194.145.63.12): icmp_seq=44 ttl=60 time=6.87 ms

ping: sendmsg: Operation not permitted

64 bytes from dir.bg (194.145.63.12): icmp_seq=46 ttl=60 time=5.24 ms

ping: sendmsg: Operation not permitted

64 bytes from dir.bg (194.145.63.12): icmp_seq=48 ttl=60 time=6.46 ms

ping: sendmsg: Operation not permitted

64 bytes from dir.bg (194.145.63.12): icmp_seq=50 ttl=60 time=7.31 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=51 ttl=60 time=5.28 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=52 ttl=60 time=6.52 ms

ping: sendmsg: Operation not permitted

64 bytes from dir.bg (194.145.63.12): icmp_seq=54 ttl=60 time=5.32 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=55 ttl=60 time=6.53 ms

ping: sendmsg: Operation not permitted

64 bytes from dir.bg (194.145.63.12): icmp_seq=57 ttl=60 time=4.84 ms

ping: sendmsg: Operation not permitted

ping: sendmsg: Operation not permitted

64 bytes from dir.bg (194.145.63.12): icmp_seq=60 ttl=60 time=7.45 ms

ping: sendmsg: Operation not permitted

64 bytes from dir.bg (194.145.63.12): icmp_seq=62 ttl=60 time=5.45 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=63 ttl=60 time=6.29 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=64 ttl=60 time=6.70 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=65 ttl=60 time=9.06 ms

ping: sendmsg: Operation not permitted

64 bytes from dir.bg (194.145.63.12): icmp_seq=67 ttl=60 time=5.34 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=68 ttl=60 time=5.19 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=69 ttl=60 time=5.56 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=70 ttl=60 time=4.21 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=71 ttl=60 time=7.72 ms

ping: sendmsg: Operation not permitted

64 bytes from dir.bg (194.145.63.12): icmp_seq=73 ttl=60 time=9.91 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=74 ttl=60 time=9.14 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=75 ttl=60 time=10.6 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=76 ttl=60 time=14.4 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=77 ttl=60 time=12.4 ms

64 bytes from dir.bg (194.145.63.12): icmp_seq=78 ttl=60 time=11.0 ms

ping: sendmsg: Operation not permitted

```

This is just an example. Ping to everywhere is like this, resulting in 8 to 25% packet loss.

```
vlanget ~ # iptables -nL

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination
```

What could be the problem  :Question: 

----------

## kevstar31

Is this only when iptables is running or does this always occur?

Do you have an other computer you can hook up to the same connection to see if you have the same problem?

----------

## Hu

What does a packet capture show?  Perhaps some other system is sometimes sending ICMP errors.

----------

## xtz

 *kevstar31 wrote:*   

> Is this only when iptables is running or does this always occur?
> 
> Do you have an other computer you can hook up to the same connection to see if you have the same problem?

 Yes, got 2 other gentoo boxes, will test it today or tomorrow.

 *Hu wrote:*   

> Perhaps some other system is sometimes sending ICMP errors.

 What do you mean  :Question: 

----------

## Hu

When an ICMP echo request is received, the receiving system can send an ICMP echo response, drop the request and send nothing, or drop the request and send an ICMP error message to explicitly inform you that it does not wish to answer your request.  The latter is a bit silly for ping, but could happen if the administrator configured the box to allow a few types of traffic and send ICMP error messages for everything else.

A packet capture collected with net-analyzer/tcpdump may tell us more.  Despite its name, it can capture packets which are not TCP.

----------

