G'day everyone, Here is a problem I've struggled with for some time now and have run out of ideas. Hopefully someone can point me in the right direction.
An acer laptop with F8 needs updating and has internet access via a dialup connection to a box running FC6. Running Wireshark on the laptop when a connection with Firefox is attempted shows the gateway returning a packet with:
ICMP Destination unreachable (Host administratively prohibited).
This points to a REJECT target in the iptables, of which there is only one. Yet with iptables stopped, there is still no connection, with the gateway returning a packet with TCP flags: [RST, ACK].
Is the problem with the laptop or the gateway box? Here are the iptables rules.
[root@Ipex ~]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination
Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
[root@Ipex ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere ACCEPT all -- 192.168.0.0/24 anywhere ACCEPT all -- anywhere 192.168.0.0/24 DROP all -- !192.168.0.0/24 anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds REJECT all -- anywhere anywhere reject-with icmp-host-prohibited [root@Ipex ~]#
All suggestions eagerly and gratefully anticipated.
On Mon, 2008-05-05 at 11:07 +1000, Simon Slater wrote:
Is the problem with the laptop or the gateway box? Here are the iptables rules.
Which machine does those supplied rules apply to, and what are the rules for the other machine?
On Mon, 2008-05-05 at 12:55 +0930, Tim wrote:
Is the problem with the laptop or the gateway box? Here are the iptables rules.
Which machine does those supplied rules apply to, and what are the rules for the other machine?
The previously posted rules apply to the gateway. The following apply to the laptop:
[root@acer ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs ACCEPT udp -- anywhere anywhere state NEW udp dpt:nfs ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http REJECT all -- anywhere anywhere reject-with icmp-host-prohibited [root@acer ~]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination
Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.122.0/24 anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@acer ~]#
I didn't think to check the laptop rules because the rejected packet came from the gateway. It looks like masquerading is setup on the laptop also. This should be off for the client? I don't know where the 192.168.122.0/24 address came from, nor the 224.0.0.251 for that matter.