On Sep 23, 2011 6:11 AM, "Adam Carter" <adamcart...@gmail.com> wrote: > > > It's not the ICMP that is being prohibited. > > Understood, that's clear from the packet trace. > > > is an ICMP "host unreachable" response from .250. The extended reason > > for the unreachability is that there is an administrative policy > > preventing the traffic. It almost certainly *is* a firewall that's > > preventing this, one with a REJECT target, as REJECT specifies to > > return an ICMP unreachable packet. > > Most firewalls i've seen send a spoofed TCP reset, not an ICMP when > rejecting TCP. However, iptables can do either. I have run iptables -F > and the tables are shown as clear with iptables -L. > > proxy vhosts.d # iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain fail2ban-SSH (0 references) > target prot opt source destination > > Chain fail2ban-apache (0 references) > target prot opt source destination > proxy vhosts.d # >
Can you post the outputs of 'iptables-save' and 'ip rule show'? Rgds,