FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 09-23-2011, 12:05 AM
Michael Mol
 
Default Cant connect to local webserver - ICMP admin prohibited

On Thu, Sep 22, 2011 at 7:14 PM, Adam Carter <adamcarter3@gmail.com> wrote:
>> strace output? Which syscall is actually failing, and with what error code?
>
> What would I trace? Why do you think the information provided suggests
> a syscall failing?

Misread your original post.



--
:wq
 
Old 09-23-2011, 06:07 AM
Mick
 
Default Cant connect to local webserver - ICMP admin prohibited

On Friday 23 Sep 2011 00:10:31 Adam Carter wrote:
> > is there anything in between on the network?
>
> Just a billion switch

.... which is running a firewall?

(The tcpdump shows a firewall is in play on 192.168.1.250).
--
Regards,
Mick
 
Old 09-23-2011, 06:14 AM
Adam Carter
 
Default Cant connect to local webserver - ICMP admin prohibited

>> Just a billion switch
>
> *.... which is running a firewall?
>
> (The tcpdump shows a firewall is in play on 192.168.1.250).

The firewall's disabled, and should only be in play if the packet gets
routed from what I understand. These packets are being switched. I
guess I should connect the hosts directly with a crossover to rule it
out.

Anyway, i've run up apache on port 81 and it works fine.

I also tried disabling apache and connecting to port 80 and got the
ICMP message instead of the expected TCP reset.
 
Old 09-23-2011, 11:24 AM
Jonas de Buhr
 
Default Cant connect to local webserver - ICMP admin prohibited

>The devices are connected, there's only a switch between them (a
>billion ADSL router).

wait... billion as in "billion the company"? and
you are using your router as a switch?

please connect the two computers without any switch (crossover cable if
they aren't 1000mbit) and try again. maybe the router is doing
something funny with port 80? most routers DO run firewalls.
 
Old 09-23-2011, 01:50 PM
James
 
Default Cant connect to local webserver - ICMP admin prohibited

Adam Carter <adamcarter3 <at> gmail.com> writes:


> > go and delete the ".ssh/known_hosts"

> That file just contains the cached ssh host keys - nothing to do with

My bad, I though I had read where you cannot ssh into the
server....

so sorry
 
Old 09-23-2011, 02:13 PM
Pandu Poluan
 
Default Cant connect to local webserver - ICMP admin prohibited

On Sep 23, 2011 6:11 AM, "Adam Carter" <adamcarter3@gmail.com> wrote:

>

> > It's not the ICMP that is being prohibited.

>

> Understood, that's clear from the packet trace.

>

> > is an ICMP "host unreachable" response from .250. *The extended reason

> > for the unreachability is that there is an administrative policy

> > preventing the traffic. It almost certainly *is* a firewall that's

> > preventing this, one with a REJECT target, as REJECT specifies to

> > return an ICMP unreachable packet.

>

> Most firewalls i've seen send a spoofed TCP reset, not an ICMP when

> rejecting TCP. However, iptables can do either. I have run iptables -F

> and the tables are shown as clear with iptables -L.

>

> proxy vhosts.d # iptables -L

> Chain INPUT (policy ACCEPT)

> target * * prot opt source * * * * * * * destination

>

> Chain FORWARD (policy ACCEPT)

> target * * prot opt source * * * * * * * destination

>

> Chain OUTPUT (policy ACCEPT)

> target * * prot opt source * * * * * * * destination

>

> Chain fail2ban-SSH (0 references)

> target * * prot opt source * * * * * * * destination

>

> Chain fail2ban-apache (0 references)

> target * * prot opt source * * * * * * * destination

> proxy vhosts.d #

>


Can you post the outputs of 'iptables-save' and 'ip rule show'?


Rgds,
 
Old 09-23-2011, 05:01 PM
Adam Carter
 
Default Cant connect to local webserver - ICMP admin prohibited

> Can you post the outputs of 'iptables-save' and 'ip rule show'?

# iptables-save
# Generated by iptables-save v1.4.12.1 on Sat Sep 24 02:57:42 2011
*nat
:PREROUTING ACCEPT [239188:15840835]
:INPUT ACCEPT [230129:15089630]
:OUTPUT ACCEPT [265028:20043915]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -s 10.0.0.254/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -s 10.0.0.254/32 -p tcp -m tcp --dport 8081 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.254:3129
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Sat Sep 24 02:57:42 2011
# Generated by iptables-save v1.4.12.1 on Sat Sep 24 02:57:42 2011
*mangle
:PREROUTING ACCEPT [63823853:97394042876]
:INPUT ACCEPT [62454740:96723050843]
:FORWARD ACCEPT [1367064:670686100]
:OUTPUT ACCEPT [47954138:21176280811]
:POSTROUTING ACCEPT [49321180:21846964975]
COMMIT
# Completed on Sat Sep 24 02:57:42 2011
# Generated by iptables-save v1.4.12.1 on Sat Sep 24 02:57:42 2011
*filter
:INPUT ACCEPT [683278:162916016]
:FORWARD ACCEPT [18:1044]
:OUTPUT ACCEPT [750201:170843065]
:fail2ban-SSH - [0:0]
:fail2ban-apache - [0:0]
COMMIT
# Completed on Sat Sep 24 02:57:42 2011

The wlan interface that uses 10. addressing is not in use at the moment.

I'm using ifconfig so i dont have the ip binary on this system.
 
Old 09-23-2011, 05:06 PM
Adam Carter
 
Default Cant connect to local webserver - ICMP admin prohibited

On Fri, Sep 23, 2011 at 9:24 PM, Jonas de Buhr <jonas.de.buhr@gmx.net> wrote:
>>The devices are connected, there's only a switch between them (a
>>billion ADSL router).
>
> wait... billion as in "billion the company"? and
> you are using your router as a switch?

Yeah - this is just at home. The router has a 4 port switch built in.

> please connect the two computers without any switch (crossover cable if
> they aren't 1000mbit) and try again. maybe the router is doing
> something funny with port 80? most routers DO run firewalls.

Its disabled, but I will try a crossover to eliminate any possibility
its the billion.

Will gig negotiate auto cross over on a straight cable? I have a cross
over i can use, but since you mentioned gig....
 
Old 09-23-2011, 05:20 PM
Bill Longman
 
Default Cant connect to local webserver - ICMP admin prohibited

On 09/23/2011 10:06 AM, Adam Carter wrote:
> Will gig negotiate auto cross over on a straight cable? I have a cross
> over i can use, but since you mentioned gig....

Yes. GigE is always auto-mdi by definition.
 
Old 09-23-2011, 05:43 PM
Pandu Poluan
 
Default Cant connect to local webserver - ICMP admin prohibited

On Sep 24, 2011 12:05 AM, "Adam Carter" <adamcarter3@gmail.com> wrote:

>

> > Can you post the outputs of 'iptables-save' and 'ip rule show'?

>

> # iptables-save

> # Generated by iptables-save v1.4.12.1 on Sat Sep 24 02:57:42 2011

> *nat


[snip]


> -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.254:3129


This line looks suspicious.


What's living at 10.0.0.254:3129 ?


Try inserting an ACCEPT target above that line, e.g.:


iptables -t nat -I PREROUTING 3 -j ACCEPT


and test again. (Use iptables-save after the above command to ensure that the newly inserted rule indeed slips before the suspicious line).


> I'm using ifconfig so i dont have the ip binary on this system.

>


No problem. If my hunch is correct, it's that suspicious line that's been causing you grief.


Rgds,
 

Thread Tools




All times are GMT. The time now is 12:13 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org