FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 09-22-2011, 12:57 PM
Michael Mol
 
Default Cant connect to local webserver - ICMP admin prohibited

On Thu, Sep 22, 2011 at 8:25 AM, Adam Carter <adamcarter3@gmail.com> wrote:
> On Thu, Sep 22, 2011 at 10:12 PM, Jonas de Buhr <jonas.de.buhr@gmx.net> wrote:
>>>ssh works.
>>
>> routing should be ok then.
>>
>>>Connection from the same client to a third gentoo box
>>>running a webserver works.
>>
>> what about connecting to the webserver from that third gentoo box?
>
> Same ICMP response, so its not a client side issue.
>
>>>Anyone seen this behavior? There's no iptables,
>>
>> you did check that on both machines, didn't you?
>> what about tcp-wrappers?
>
> No iptables on any of the boxes. No tcpwrappers.

strace output? Which syscall is actually failing, and with what error code?

--
:wq
 
Old 09-22-2011, 02:00 PM
Richard Gration
 
Default Cant connect to local webserver - ICMP admin prohibited

On 22 September 2011 12:39, Adam Carter <adamcarter3@gmail.com> wrote:
> # tcpdump -n -i eth0 host 192.168.1.6 and port not 22
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 21:10:57.011994 IP 192.168.1.6.46161 > 192.168.1.250.80: S
> 4279617058:4279617058(0) win 14600 <mss 1460,sackOK,timestamp 7007662
> 0,nop,wscale 6>
> 21:10:57.037227 IP 192.168.1.250 > 192.168.1.6: ICMP host
> 192.168.1.250 unreachable - admin prohibited filter, length 36

> Anyone seen this behavior? There's no iptables, the hosts are gentoo
> and on the same subnet. I've only seen admin prohibited ICMP from
> filtering by cisco ACLs - what could be the problem?

It's not the ICMP that is being prohibited. This packet:

> 21:10:57.037227 IP 192.168.1.250 > 192.168.1.6: ICMP host
> 192.168.1.250 unreachable - admin prohibited filter, length 36

is an ICMP "host unreachable" response from .250. The extended reason
for the unreachability is that there is an administrative policy
preventing the traffic. It almost certainly *is* a firewall that's
preventing this, one with a REJECT target, as REJECT specifies to
return an ICMP unreachable packet. I suggest that you look more
closely at the firewalling on .250. If there is definitely no
firewalling going on (ie iptables -nvL shows only default policies and
the default is ACCEPT for INPUT and OUTPUT chains) then could there be
an intervening network device?

Rich
 
Old 09-22-2011, 02:30 PM
Jonas de Buhr
 
Default Cant connect to local webserver - ICMP admin prohibited

>> what about connecting to the webserver from that third gentoo box?
>
>Same ICMP response, so its not a client side issue.

yep.

>No iptables on any of the boxes. No tcpwrappers.

is there anything in between on the network?

does traceroute show anything unusual?

what happens if you try to connect to a closed port (81 for example)?
 
Old 09-22-2011, 04:31 PM
James
 
Default Cant connect to local webserver - ICMP admin prohibited

Adam Carter <adamcarter3 <at> gmail.com> writes:


> ssh works. Connection from the same client to a third gentoo box
> running a webserver works.

KISS may be at work here.

go and delete the ".ssh/known_hosts"
files just to be certain it not something
really simple....

hth,
James
 
Old 09-22-2011, 11:08 PM
Adam Carter
 
Default Cant connect to local webserver - ICMP admin prohibited

> It's not the ICMP that is being prohibited.

Understood, that's clear from the packet trace.

> is an ICMP "host unreachable" response from .250. *The extended reason
> for the unreachability is that there is an administrative policy
> preventing the traffic. It almost certainly *is* a firewall that's
> preventing this, one with a REJECT target, as REJECT specifies to
> return an ICMP unreachable packet.

Most firewalls i've seen send a spoofed TCP reset, not an ICMP when
rejecting TCP. However, iptables can do either. I have run iptables -F
and the tables are shown as clear with iptables -L.

proxy vhosts.d # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-SSH (0 references)
target prot opt source destination

Chain fail2ban-apache (0 references)
target prot opt source destination
proxy vhosts.d #

> I suggest that you look more
> closely at the firewalling on .250. If there is definitely no
> firewalling going on (ie iptables -nvL shows only default policies and
> the default is ACCEPT for INPUT and OUTPUT chains) then could there be
> an intervening network device?

The devices are connected, there's only a switch between them (a
billion ADSL router).
 
Old 09-22-2011, 11:10 PM
Adam Carter
 
Default Cant connect to local webserver - ICMP admin prohibited

> is there anything in between on the network?

Just a billion switch

> does traceroute show anything unusual?

Nothing to trace - same subnet

> what happens if you try to connect to a closed port (81 for example)?

I get the expected TCP reset.
 
Old 09-22-2011, 11:12 PM
Adam Carter
 
Default Cant connect to local webserver - ICMP admin prohibited

>> ssh works. Connection from the same client to a third gentoo box
>> running a webserver works.
>
> KISS may be at work here.
>
> go and delete the ".ssh/known_hosts"
> files just to be certain it not something
> really simple....

That file just contains the cached ssh host keys - nothing to do with
a webserver.
 
Old 09-22-2011, 11:14 PM
Adam Carter
 
Default Cant connect to local webserver - ICMP admin prohibited

> strace output? Which syscall is actually failing, and with what error code?

What would I trace? Why do you think the information provided suggests
a syscall failing?
 

Thread Tools




All times are GMT. The time now is 08:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org