help:[freeradius+mysql]destination unreachable(hostadministratively prohibited)

gary gary.yang at browan.com
Thu Jul 28 05:48:09 CEST 2011 

Hi Harry, Sam
The problem solved.Thank you very much.
Here is the output of iptables-save. (iptables -nvL | grep 1812 output 
nothing)
*******************************************************
[root at gary sysconfig]# /sbin/iptables-save
# Generated by iptables-save v1.4.5 on Thu Jul 28 11:36:40 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15:2804]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jul 28 11:36:40 2011
*******************************************************
After I remark "-A INPUT -j REJECT --reject-with icmp-host-prohibited" it 
work.
But "iptables -nvL | grep 1812" command still output nothing.
Now the iptables-save output.
*******************************************************
[root at gary sysconfig]# /sbin/iptables-save
# Generated by iptables-save v1.4.5 on Thu Jul 28 11:41:12 2011
*filter
:INPUT ACCEPT [69:8978]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17:3842]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jul 28 11:41:12 2011
********************************************************

Best Regards
Gary

BROWAN COMMUNICATIONS INC.
Tel:886-3-600-6899 ext.4842
Fax:886-3-597-2970
e-mail:gary.yang at browan.com

----- Original Message ----- 
From: "Sam Hooker" <sth at noiseplant.com>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Wednesday, July 27, 2011 10:11 PM
Subject: Re: help:[freeradius+mysql]destination 
unreachable(hostadministratively prohibited)


>
> Sorry, I meant 'iptables -nvL | grep 1812' should yield something like 
> THIS:
>
>    0     0 ACCEPT     udp  --  *      *       192.168.21.223 
> 0.0.0.0/0           udp dpt:1812
>
>
> -sth
>
>> You're looking for 'iptables -nvL | grep 3306' to produce something
>> like this:
>>
>> 0 0 ACCEPT tcp -- * * 192.168.21.223 0.0.0.0/0 tcp dpt:3306
>>
>>
>> -sth
>>
>> sam hooker|sth at noiseplant.com|http://www.noiseplant.com
>>
>> "I have not failed, I've just found 10,000 ways that won't work."
>> Thomas Edison
>>
>> ----- Original Message -----
>> > ping isn't the same as a open udp port.
>> >
>> > run the command:
>> > /sbin/iptables-save
>> >
>> > and past the output. If it's not the firewall then it's probably
>> > ACLs
>> > as
>> > those are really the only two things that are going to return a
>> > admin-prohib icmp packet.
>> >
>> > Cheers,
>> > Harry
>> >
>> > On 07/27/2011 09:06 AM, gary wrote:
>> > > Hi Harry
>> > > radius server and nas ping no problem each other.
>> > > checking firewall no problem.
>> > > the OS is Fedora 12.
>> > >
>> > > Best Regards
>> > > Gary
>> > >
>> > > BROWAN COMMUNICATIONS INC.
>> > > Tel:886-3-600-6899 ext.4842
>> > > Fax:886-3-597-2970
>> > > e-mail:gary.yang at browan.com
>> > >
>> > > ----- Original Message ----- From: "Harry Hoffman"
>> > > <hhoffman at ip-solutions.net>
>> > > To: "gary" <gary.yang at browan.com>;
>> > > <freeradius-users at lists.freeradius.org>
>> > > Sent: Wednesday, July 27, 2011 7:19 PM
>> > > Subject: Re: help:[freeradius+mysql]destination unreachable(host
>> > > administratively prohibited)
>> > >
>> > >
>> > >> Did you open your firewall? Redhat-like distros send dest-prohib
>> > >> by
>> > >> default for ports blocked by iptables.
>> > >>
>> > >> Cheers,
>> > >> Harry
>> > >>
>> > >> gary <gary.yang at browan.com> wrote:
>> > >>
>> > >>> Hi All
>> > >>> I have trouble about freeradius+mysql.
>> > >>> I configured freeradius(2.1.10) +mysql(5.5.14) and selftest by
>> > >>> radtest everything is okay.
>> > >>> But when I try external nas client it always returns "null
>> > >>> response".
>> > >>> the setup as below.
>> > >>> PC(client)<===>wireless AP(nas,192.168.21.223)<===>radius
>> > >>> server(192.168.21.30)
>> > >>> my nas table:
>> > >>> mysql> select * from nas;
>> > >>> +----+--------------------+---------------------+-------+----------+--------------+----------+---------------+---------------------+
>> > >>>
>> > >>> | id | nasname | shortname | type | ports
>> > >>> | secret | server | community | description |
>> > >>> +----+--------------------+---------------------+-------+----------+--------------+----------+---------------+---------------------+
>> > >>>
>> > >>> |  1 | 192.168.21.223 | 192.168.21.223 | other | NULL |
>> > >>> testing123 | NULL | NULL | RADIUS Client |
>> > >>> |  3 | 127.0.0.1 | localhost | other | NULL
>> > >>> | testing123 | NULL | NULL | RADIUS Client |
>> > >>> +----+--------------------+---------------------+-------+----------+--------------+-----------+---------------+--------------------+
>> > >>>
>> > >>> radcheck table:
>> > >>> mysql> select * from radcheck;
>> > >>> +----+--------------------+-------------------+----+--------+
>> > >>> | id | username | attribute | op | value |
>> > >>> +----+--------------------+-------------------+----+--------+
>> > >>> |  1 | gary | User-Password | := | gary |
>> > >>> |  2 | test | User-Password | := | test |
>> > >>> |  3 | 001d09cb2715 | User-Password | := | test |
>> > >>> +----+--------------------+-------------------+----+--------+
>> > >>>
>> > >>> 192.168.21.223 is the wireless AP(nas) and my radius server is
>> > >>> 192.168.21.30.
>> > >>> I am using wireshark to capture the packets and it shows
>> > >>> "destination
>> > >>> unreachable(host administratively prohibited)".
>> > >>> see screenshot as below. Can anyone help me?
>> > >>>
>> > >>>
>> > >>> Best Regards
>> > >>> Gary
>> > >>>
>> > >>> -
>> > >>> List info/subscribe/unsubscribe? See
>> > >>> http://www.freeradius.org/list/users.html
>> > >
>> > >
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list