Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 04-12-2009, 09:17 PM   #1
LQ Newbie
Registered: Apr 2009
Posts: 2

Rep: Reputation: 0
SSH Tunnelling problem. Channel 3: open failed: Administratively prohibited:

Hello all,
I have just recently got a server from and i am trying to get port forwarding to work. I had this working on a FC4 machine but the new machine is FC10. The error i am getting on the server is this:

open failed: administratively prohibited: firewall policy violation

What i am trying to do is to get squid to proxy for me through this machine. I have squid setup and listening on 3128 and when i connect with the command
ssh -L 3128:ServerIP:3128 user@server
i get logged in and i get that message when i try to connect through it. I have tried numerous ways and it appears to be a problem with the server config. Below is the standard / default sshd_config.

I would appreciate any help you could provide.

# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables

#AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

Thanks Very much,
Old 05-06-2009, 08:25 PM   #2
Registered: Oct 2008
Posts: 44

Rep: Reputation: 15
MMM you have ssh on port 22? how come its commented out? also shouldnt it be 3128?.....not sure thought ok.
Old 05-08-2009, 10:45 AM   #3
Samhain Slackbuild Maintainer
Registered: Sep 2004
Location: Phoenix, AZ, USA
Distribution: Slackware
Posts: 411

Rep: Reputation: 42
sshd should default to listen to port 22. So having "Port 22" commented is the normally the default and should not pose a problem. It's there in the config file in case you want to change it to something else. Sometimes people change it for security reasons so brute force scripts aren't likely to find it.

As root what is the output of
iptables -nL
Since it kicked out a firewall error, iptables might be blocking that port. You can also issue
iptables -F
to drop all firewall rules and try again. Just remember to turn your firewall back on as the system might be protecting resources on it that are not configured to protect themselves.

Once you've verified that this is the issue, post back and we can help you modify your firewall to allow ssh connections. You can even limit the number of ssh connections per time. We can help with that too.

First things first, see if your firewall is the culprit.
Old 05-09-2009, 01:04 AM   #4
LQ Newbie
Registered: Apr 2009
Posts: 2

Original Poster
Rep: Reputation: 0
I have stopped iptables completely and still no luck. I dont believe it is an issue with the server anymore though. I have taken the same laptop and connected it to another network and the tunneling works fine. It appears that the firewall is somehow blocking this traffic on the outbound path.

I didnt think it was possible but there must be something that is killing the forwarding on the work network.

Thanks for the help.

Old 05-10-2009, 12:15 AM   #5
Samhain Slackbuild Maintainer
Registered: Sep 2004
Location: Phoenix, AZ, USA
Distribution: Slackware
Posts: 411

Rep: Reputation: 42
It appears that the firewall is somehow blocking this traffic on the outbound path.
I'm not sure I fully understand what you are saying. If you tunnel your traffic through ssh, there is no way to know what that traffic is, because it's encrypted. If you can get a command prompt, you can tunnel. Command prompt traffic is no different than any other traffic to a firewall because it is encrypted. Again, I'm not sure I fully understand this statement. Perhaps I am missing something?

Like I say, if you can get a command prompt, there is no reason you can't tunnel anything you want through the tunnel.

The server and client configurations/settings must allow tunneling or port forwarding, but that is ssh configuration, nothing to do with the firewall.

Let me know if there is anything more I can do to help with this.


forwarding, port, ssh

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
ICMP Destination Unreachable (Host administratively prohibited) jiml8 Linux - Networking 7 04-25-2013 05:07 AM
ssh -L '>channel 3: open failed: connect failed:' Luke771 Linux - Networking 14 01-24-2012 04:14 AM
SSH Tunnelling Only Server humbletech99 Linux - Security 1 08-03-2007 09:33 PM
VMWare SSH tunnelling (+proxy?) problem ticktockhouse Linux - Networking 0 04-18-2007 10:06 AM
tightvnc using ssh tunnelling curmudgeon42 Linux - Software 1 08-18-2004 10:40 PM

All times are GMT -5. The time now is 01:30 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration