ICMP Destination Unreachable (Host administratively prohibited)
I am trying to remote boot a workstation, having it use PXE to download a linux image and initrd.img from a server.
The server is FC4. The workstation is an X86 box that supports PXE boot. The server has DHCPD configured like this: Code:
ddns-update-style ad-hoc; I have tftp running in xinetd, configured like this: Code:
service tftp The server sends it an ICMP response that says Destination Unreachable(Host administratively prohibited) Anyone have any idea why? |
No one here has seen this?
|
Got it.
Iptables default FC4 configuration killed it. Disable iptables and bob's your uncle! |
Funny you post this ... I am just setting up a box to do exactly what you are doing. I have setup remote boot before (about a year and a half ago) but I cannot exactly remember all the details.
But, first, do you have SELinux enabled? If so, you may want to disable while debugging this. Next, you may want to run DHCPD in the foreground with debugging info to console as in: $>/usr/sbin/dhcpd -f -d That's where I would start. I will be working on this more (using FC5) as server and will let you know what I discover. HTH |
Actually, it is my intent to download an FC5 image to the workstation for installation.
The plan is to remotely boot a bare workstation, then remotely configure it into a standard configuration using dd and previously prepared images of boot block and system, followed by the creation and population of /home directories. I am not using SELinux. There is a default PXE boot image provided with FC4, but the initrd.img that is provided with it is non-standard (meaning it isn't a compressed image) and what it apparently does is cause the remotely booted FC4 installation to seek out a disk-based FC4 installation set. I do not want to do this, so I provided a different initrd.img which wants to do an NFS mount of a root partition that is on the server. It works, but I have not yet provided anything in the /root partition, thus the workstation is going through startup to the point where it changes to /root, then it hangs. At least, I have it running to that point. Complicating this is that the systems I am working on are in switzerland and I am in the USA. LOL. |
Quote:
|
Thanks for this question/answer
I've been beating my head against the wall trying to figure out what happened, and this thread saved me.
I'm running Fedora 15 as my development machine. I've been very diligent to install the updates as they came out (per the automated check). We test our products using pXe-boot Ubuntu machines without disk drives, so I often NFS mount from the Fedora computer. One day, we were told to shut down computers because the power company was going to be turning power off for a few hours. When I turned the computer on again, I could no longer NFS mount. There was no indication in either computer to indicate why. The pXe-booted machine would just return "mount.nfs: mount system call failed." There was nothing in dmesg, /var/log/secure or /var/log/messages on the Fedora machine to indicate a connection was even attempted. When I ran traceroute on port 2049 on the pXe machine, it returned times with "!X". I learned that this indicates "Host administratively prohibited." Well, that was not helpful. I then ran ethereal (don't ask me how difficult that was to install) on the Fedora machine, and that's when I discovered it was the Fedora machine that was responding to the pXe machine with the ICMP. This sent me to LinuxQuestions.org for help, and that's how I found this thread. In trying to understand iptables, I have discovered this is a rat-hole I'm not ready to follow. It is extremely complicated. Running iptables-save, I have learned nothing about why iptables suddenly won't allow NFS mounts. I've turned off the firewall for NFS, enabled exports, etc., but the only thing that worked was to disable the service. I wonder if there is a college course on iptables? Thanks for resolving this issue for me. |
iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 21 4102 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 118 12808 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 94 packets, 19267 bytes) pkts bytes target prot opt in out source destination ---------- Post added 04-25-13 at 04:08 AM ---------- Quote:
|
All times are GMT -5. The time now is 03:34 PM. |