Originally posted by darmstadt
View Post
Well now knowing what I know, and re-reading the thread the wireshark trace excerpt is really all you need to look at.
ldap 36.147965000 192.168.0.5 10.0.0.222 ICMP 94 Destination unreachable (Host administratively prohibited)
1) Let is pass
2) Drop it
3) Reject it
So from a ping point of view if you get a response, it was allowed.
If you get a "Destination host unreachable" error, then a rejection was received.
If you get a "Request timed out" error then the packet was dropped (ie nothing came back).
In the wireshark message above you can see that this is a rejection message. It is from 192.168.0.5 to 10.0.0.222, saying that an earlier attempt to initiate a connection on the LDAP port was denied.
So to fix it, you just need to open the port on 192.168.0.5. In my example I only wanted to receive traffic from the virtual network, so I did this :
Code:
iptables - I INSERT 1 -p tcp -s 10.0.0.0/24 --dport 389 -j ACCEPT
There were other ports to open up, and I spent the day sifting through wireshark traces and fixing problem but in the end all the wireshark traces were clean and the VMs talking happily to the host.
For info, the host is Centos7, running Samba4 and I am using this to establish an Active Directory without using Windows server. Then I administer the AD from a windows 7 guest using the server management tools.
Any questions just holler.
Leave a comment: