[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Destination unreachable (Host administratively prohibited)


  • Subject: Re: [Openvpn-users] Destination unreachable (Host administratively prohibited)
  • From: Davide Bolcioni <dblistsub-openvpn@xxxxxxxx>
  • Date: Wed, 14 Mar 2007 15:25:26 +0100

On Tuesday 13 March 2007 18:34:40 Jeff Boyce wrote:

>  Also after seeing the iptables output I looked at the file
> /etc/sysconfig/iptables and I have posted it also. 

Good call.

> I generally set or 
> change my firewall security settings using either the Gnome GUI or through
> Webmin.  The /etc/sysconfig/iptables file reflects what is shown in both of
> these GUIs.  (Why is the output of iptables -n -L different?).  Hosts allow
> and deny are both blank.

See below.

> [root@Bison root]# iptables -n -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 255
> ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
> RELATED,ESTABLISHED
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
> dpt:22
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0          reject-with
> icmp-host-prohibited

My suggestion was incomplete, I should have directed you to 
use "iptables -L -n -v" in order to show additional information like this:

Chain RH-Firewall-1-INPUT (2 references)
p b  target prot opt in out    source destination
 0 0 ACCEPT all  --  lo   * 0.0.0.0/0   0.0.0.0/0
 0 0 ACCEPT icmp --  *    * 0.0.0.0/0   0.0.0.0/0 icmp type 255
 0 0 ACCEPT esp  --  *    * 0.0.0.0/0   0.0.0.0/0
 0 0 ACCEPT ah   --  *    * 0.0.0.0/0   0.0.0.0/0
 0 0 ACCEPT all  --  *    * 0.0.0.0/0   0.0.0.0/0 state RELATED,ESTABLISHED
 0 0 ACCEPT tcp  --  *    * 0.0.0.0/0   0.0.0.0/0 state NEW tcp dpt:22
 0 0 REJECT all  --  *    * 0.0.0.0/0   0.0.0.0/0 reject-with 
icmp-host-prohibited

but this is not really necessary, the information below tells us that the 
first three ACCEPTs above are for the lo, eth0 and tun0 interfaces.

> /etc/sysconfig/iptables
> # Firewall configuration written by redhat-config-securitylevel
> # Manual customization of this file is not recommended.
> *filter
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
>
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
> -A RH-Firewall-1-INPUT -i tun0 -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT

The above firewall configuration should allow all traffic through tun0, but 
you probably want to use "tun+" instead as that covers all tun interfaces.

Since you get "administratively prohibited" I think you're hitting the bottom 
of the RH-Firewall-1 chain.

As you guessed, tcp_wrappers has no bearing on the matter.

Overall, however, if the "netstat -rn" output matches the firewall, the 
problem must lie somewhere else, because the interface was tun0 and that 
should have been allowed by the above firewall rules. I suggest you 
use "tun+" when specifying trusted interfaces, verify 
with "iptables -L -n -v" that the expected rules are in effect, start the 
OpenVPN tunnel and try the connection again.

Hope this helps,
Davide Bolcioni
-- 
http://eleganceofreason.blogspot.com
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users