Destination unreachable (Host administratively prohibited) when allowed through FirewallD and SELinux

Brandon asked:

I am trying to connect to my VM which is running Oracle Database XE 18c on Oracle Linux 7.6 and using bridged networking through Oracle SQL developer, however I have found no luck.

I have permanently allowed the Oracle Listener port (1521) through my interface’s zone in FirewallD, disabled iptables and set SELinux to permissive.

The Oracle Database services on the server itself are fine and it seems all OK, but when I try to connect to my server (which is running on the LAN) through Oracle SQL Developer, I get this:

Status : Failure -Test failed: IO Error: The Network Adapter could not establish the connection

So, I tried using nmap to determine if the port on the host was opened or closed, and I got this back:

Host is up (0.0024s latency).

PORT     STATE    SERVICE
1521/tcp filtered oracle

Pinging the server works fine, it is only this port that remains blocked even when allowed through the system’s firewall and SELinux. When capturing the packet being returned in Wireshark, I see this:

Destination unreachable (Host administratively prohibited)

So, my guesses are that the connection is definitely going through, but something somewhere is preventing it from continuing and I don’t know what it is.

Note: For reference, I followed this tutorial to set up Oracle Database on my server, and I’m using a standard NBN carrier/home grade internet service if that helps.

My answer:


You need to open the port in the firewall. Unfortunately, you thought you did this, but you actually didn’t.

firewall-cmd --add-port=1521/tcp

What you actually did was to add --permanent to the command instead, which writes the persistent configuration, but does not change the running firewall.

Except for things which require it, such as adding and removing zones, using --permanent is not recommended. You should instead change the running configuration, so that if there is a mistake which locks you out, you can restart firewalld or the computer and get back in. Once you are sure it works, you can save the running configuration with firewall-cmd --runtime-to-permanent.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.