Connection to remote server hangs indefinitely
I have a server running Fedora 23. When I run a simple server application on it (the example given here, only with the port and IP address changed) it opens port 3490 and listens for the client to connect. Once the client connects it is supposed to responds, and end. However the client program when run on a remote machine just hangs indefinitely and never connects.
Here is the output of netstat -tuplen
on the server while the server side program is running. Program is "./server" here.
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 581266095 139/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 581266893 178/sendmail: accep
tcp 0 0 0.0.0.0:3490 0.0.0.0:* LISTEN 0 1781896327 23696/./server
tcp6 0 0 :::22 :::* LISTEN 0 581266097 139/sshd
tcp6 0 0 :::3306 :::* LISTEN 27 1762178376 18622/mysqld
tcp6 0 0 :::80 :::* LISTEN 0 581266785 149/httpd
When I try to telnet in to the port while the software is running I get Trying [server IP]...
until it times out. When I run the server and client software on the same machine, and just connect locally over 127.0.0.1, they work perfectly.
While the server software is running I preformed a scan with nmap on my remote machine, specifically nmap -T4 -A -v [server IP]/3490
. It picks up the ssh port "22" I was connected to at the time from a third machine, but not the 3490 port, or any other port for that matter. The traceroute is 12 hops long from my local machine to the server, if that influences anything.
Before running the server application I ran
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3490 -j ACCEPT
and then
service iptables save
to allow connections to the port through the firewall.
However while this may have opened up the port on the firewall, it didn't let the client and server programs connect. What am I doing wrong? What do I need to change? Where should I check to learn more about the problem and get closer to fixing it?
networking firewall port
add a comment |
I have a server running Fedora 23. When I run a simple server application on it (the example given here, only with the port and IP address changed) it opens port 3490 and listens for the client to connect. Once the client connects it is supposed to responds, and end. However the client program when run on a remote machine just hangs indefinitely and never connects.
Here is the output of netstat -tuplen
on the server while the server side program is running. Program is "./server" here.
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 581266095 139/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 581266893 178/sendmail: accep
tcp 0 0 0.0.0.0:3490 0.0.0.0:* LISTEN 0 1781896327 23696/./server
tcp6 0 0 :::22 :::* LISTEN 0 581266097 139/sshd
tcp6 0 0 :::3306 :::* LISTEN 27 1762178376 18622/mysqld
tcp6 0 0 :::80 :::* LISTEN 0 581266785 149/httpd
When I try to telnet in to the port while the software is running I get Trying [server IP]...
until it times out. When I run the server and client software on the same machine, and just connect locally over 127.0.0.1, they work perfectly.
While the server software is running I preformed a scan with nmap on my remote machine, specifically nmap -T4 -A -v [server IP]/3490
. It picks up the ssh port "22" I was connected to at the time from a third machine, but not the 3490 port, or any other port for that matter. The traceroute is 12 hops long from my local machine to the server, if that influences anything.
Before running the server application I ran
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3490 -j ACCEPT
and then
service iptables save
to allow connections to the port through the firewall.
However while this may have opened up the port on the firewall, it didn't let the client and server programs connect. What am I doing wrong? What do I need to change? Where should I check to learn more about the problem and get closer to fixing it?
networking firewall port
add a comment |
I have a server running Fedora 23. When I run a simple server application on it (the example given here, only with the port and IP address changed) it opens port 3490 and listens for the client to connect. Once the client connects it is supposed to responds, and end. However the client program when run on a remote machine just hangs indefinitely and never connects.
Here is the output of netstat -tuplen
on the server while the server side program is running. Program is "./server" here.
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 581266095 139/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 581266893 178/sendmail: accep
tcp 0 0 0.0.0.0:3490 0.0.0.0:* LISTEN 0 1781896327 23696/./server
tcp6 0 0 :::22 :::* LISTEN 0 581266097 139/sshd
tcp6 0 0 :::3306 :::* LISTEN 27 1762178376 18622/mysqld
tcp6 0 0 :::80 :::* LISTEN 0 581266785 149/httpd
When I try to telnet in to the port while the software is running I get Trying [server IP]...
until it times out. When I run the server and client software on the same machine, and just connect locally over 127.0.0.1, they work perfectly.
While the server software is running I preformed a scan with nmap on my remote machine, specifically nmap -T4 -A -v [server IP]/3490
. It picks up the ssh port "22" I was connected to at the time from a third machine, but not the 3490 port, or any other port for that matter. The traceroute is 12 hops long from my local machine to the server, if that influences anything.
Before running the server application I ran
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3490 -j ACCEPT
and then
service iptables save
to allow connections to the port through the firewall.
However while this may have opened up the port on the firewall, it didn't let the client and server programs connect. What am I doing wrong? What do I need to change? Where should I check to learn more about the problem and get closer to fixing it?
networking firewall port
I have a server running Fedora 23. When I run a simple server application on it (the example given here, only with the port and IP address changed) it opens port 3490 and listens for the client to connect. Once the client connects it is supposed to responds, and end. However the client program when run on a remote machine just hangs indefinitely and never connects.
Here is the output of netstat -tuplen
on the server while the server side program is running. Program is "./server" here.
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 581266095 139/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 581266893 178/sendmail: accep
tcp 0 0 0.0.0.0:3490 0.0.0.0:* LISTEN 0 1781896327 23696/./server
tcp6 0 0 :::22 :::* LISTEN 0 581266097 139/sshd
tcp6 0 0 :::3306 :::* LISTEN 27 1762178376 18622/mysqld
tcp6 0 0 :::80 :::* LISTEN 0 581266785 149/httpd
When I try to telnet in to the port while the software is running I get Trying [server IP]...
until it times out. When I run the server and client software on the same machine, and just connect locally over 127.0.0.1, they work perfectly.
While the server software is running I preformed a scan with nmap on my remote machine, specifically nmap -T4 -A -v [server IP]/3490
. It picks up the ssh port "22" I was connected to at the time from a third machine, but not the 3490 port, or any other port for that matter. The traceroute is 12 hops long from my local machine to the server, if that influences anything.
Before running the server application I ran
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3490 -j ACCEPT
and then
service iptables save
to allow connections to the port through the firewall.
However while this may have opened up the port on the firewall, it didn't let the client and server programs connect. What am I doing wrong? What do I need to change? Where should I check to learn more about the problem and get closer to fixing it?
networking firewall port
networking firewall port
asked Feb 12 at 6:05
MedynskyMedynsky
287
287
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You probably haven't actually allowed the connections through the firewall.
Iptables rules are read top-to-bottom, "first match wins", so if your INPUT chain had a global 'block all' rule at the end, anything added below that rule is simply never checked. Run iptables-save
or iptables -L -v -n --line-numbers
and just read your INPUT rules from top to bottom to see what checks are made to the packet.
The -A
in the command means "append" and adds the new rule at the end. The opposite is -I
, "insert", which places it at the top; both also take a specific position number to place the rule before/after. For example, if you want to add the new rule at position 4:
iptables -I INPUT 4 -p tcp ... -j ...
You can also do this:
iptables-save > rules.txt
nano rules.txt
iptables-restore < rules.txt
Note that a firewall may exist elsewhere, e.g. packets may be filtered by the server's network. Use tcpdump
to determine whether the packets at least reach the server:
tcpdump -n -i eth0 "port 3490"
I have-A INPUT -j REJECT --reject-with icmp-host-prohibited
after the input for port 22 but before my addition to port 3490 and-A FORWARD -j REJECT --reject-with icmp-host-prohibited
at the very end right beforeCOMMIT
. I'm guessing this is the "block all" you mentioned, though I'm not sure how to deal with it. I tried the tcp dump command you provided. Telneting in from my machine I could watch my packets knock on the firewall, which is comforting.
– Medynsky
Feb 12 at 8:48
1
You deal with it by inserting your port 3490 rule at the correct position (say, at the very beginning or somewhere in the middle), instead of at the end of INPUT. (Don't pay any attention to the FORWARD chain; it does not apply to your packet.)
– grawity
Feb 12 at 9:21
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1404718%2fconnection-to-remote-server-hangs-indefinitely%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You probably haven't actually allowed the connections through the firewall.
Iptables rules are read top-to-bottom, "first match wins", so if your INPUT chain had a global 'block all' rule at the end, anything added below that rule is simply never checked. Run iptables-save
or iptables -L -v -n --line-numbers
and just read your INPUT rules from top to bottom to see what checks are made to the packet.
The -A
in the command means "append" and adds the new rule at the end. The opposite is -I
, "insert", which places it at the top; both also take a specific position number to place the rule before/after. For example, if you want to add the new rule at position 4:
iptables -I INPUT 4 -p tcp ... -j ...
You can also do this:
iptables-save > rules.txt
nano rules.txt
iptables-restore < rules.txt
Note that a firewall may exist elsewhere, e.g. packets may be filtered by the server's network. Use tcpdump
to determine whether the packets at least reach the server:
tcpdump -n -i eth0 "port 3490"
I have-A INPUT -j REJECT --reject-with icmp-host-prohibited
after the input for port 22 but before my addition to port 3490 and-A FORWARD -j REJECT --reject-with icmp-host-prohibited
at the very end right beforeCOMMIT
. I'm guessing this is the "block all" you mentioned, though I'm not sure how to deal with it. I tried the tcp dump command you provided. Telneting in from my machine I could watch my packets knock on the firewall, which is comforting.
– Medynsky
Feb 12 at 8:48
1
You deal with it by inserting your port 3490 rule at the correct position (say, at the very beginning or somewhere in the middle), instead of at the end of INPUT. (Don't pay any attention to the FORWARD chain; it does not apply to your packet.)
– grawity
Feb 12 at 9:21
add a comment |
You probably haven't actually allowed the connections through the firewall.
Iptables rules are read top-to-bottom, "first match wins", so if your INPUT chain had a global 'block all' rule at the end, anything added below that rule is simply never checked. Run iptables-save
or iptables -L -v -n --line-numbers
and just read your INPUT rules from top to bottom to see what checks are made to the packet.
The -A
in the command means "append" and adds the new rule at the end. The opposite is -I
, "insert", which places it at the top; both also take a specific position number to place the rule before/after. For example, if you want to add the new rule at position 4:
iptables -I INPUT 4 -p tcp ... -j ...
You can also do this:
iptables-save > rules.txt
nano rules.txt
iptables-restore < rules.txt
Note that a firewall may exist elsewhere, e.g. packets may be filtered by the server's network. Use tcpdump
to determine whether the packets at least reach the server:
tcpdump -n -i eth0 "port 3490"
I have-A INPUT -j REJECT --reject-with icmp-host-prohibited
after the input for port 22 but before my addition to port 3490 and-A FORWARD -j REJECT --reject-with icmp-host-prohibited
at the very end right beforeCOMMIT
. I'm guessing this is the "block all" you mentioned, though I'm not sure how to deal with it. I tried the tcp dump command you provided. Telneting in from my machine I could watch my packets knock on the firewall, which is comforting.
– Medynsky
Feb 12 at 8:48
1
You deal with it by inserting your port 3490 rule at the correct position (say, at the very beginning or somewhere in the middle), instead of at the end of INPUT. (Don't pay any attention to the FORWARD chain; it does not apply to your packet.)
– grawity
Feb 12 at 9:21
add a comment |
You probably haven't actually allowed the connections through the firewall.
Iptables rules are read top-to-bottom, "first match wins", so if your INPUT chain had a global 'block all' rule at the end, anything added below that rule is simply never checked. Run iptables-save
or iptables -L -v -n --line-numbers
and just read your INPUT rules from top to bottom to see what checks are made to the packet.
The -A
in the command means "append" and adds the new rule at the end. The opposite is -I
, "insert", which places it at the top; both also take a specific position number to place the rule before/after. For example, if you want to add the new rule at position 4:
iptables -I INPUT 4 -p tcp ... -j ...
You can also do this:
iptables-save > rules.txt
nano rules.txt
iptables-restore < rules.txt
Note that a firewall may exist elsewhere, e.g. packets may be filtered by the server's network. Use tcpdump
to determine whether the packets at least reach the server:
tcpdump -n -i eth0 "port 3490"
You probably haven't actually allowed the connections through the firewall.
Iptables rules are read top-to-bottom, "first match wins", so if your INPUT chain had a global 'block all' rule at the end, anything added below that rule is simply never checked. Run iptables-save
or iptables -L -v -n --line-numbers
and just read your INPUT rules from top to bottom to see what checks are made to the packet.
The -A
in the command means "append" and adds the new rule at the end. The opposite is -I
, "insert", which places it at the top; both also take a specific position number to place the rule before/after. For example, if you want to add the new rule at position 4:
iptables -I INPUT 4 -p tcp ... -j ...
You can also do this:
iptables-save > rules.txt
nano rules.txt
iptables-restore < rules.txt
Note that a firewall may exist elsewhere, e.g. packets may be filtered by the server's network. Use tcpdump
to determine whether the packets at least reach the server:
tcpdump -n -i eth0 "port 3490"
edited Feb 12 at 9:25
answered Feb 12 at 6:18
grawitygrawity
240k37508562
240k37508562
I have-A INPUT -j REJECT --reject-with icmp-host-prohibited
after the input for port 22 but before my addition to port 3490 and-A FORWARD -j REJECT --reject-with icmp-host-prohibited
at the very end right beforeCOMMIT
. I'm guessing this is the "block all" you mentioned, though I'm not sure how to deal with it. I tried the tcp dump command you provided. Telneting in from my machine I could watch my packets knock on the firewall, which is comforting.
– Medynsky
Feb 12 at 8:48
1
You deal with it by inserting your port 3490 rule at the correct position (say, at the very beginning or somewhere in the middle), instead of at the end of INPUT. (Don't pay any attention to the FORWARD chain; it does not apply to your packet.)
– grawity
Feb 12 at 9:21
add a comment |
I have-A INPUT -j REJECT --reject-with icmp-host-prohibited
after the input for port 22 but before my addition to port 3490 and-A FORWARD -j REJECT --reject-with icmp-host-prohibited
at the very end right beforeCOMMIT
. I'm guessing this is the "block all" you mentioned, though I'm not sure how to deal with it. I tried the tcp dump command you provided. Telneting in from my machine I could watch my packets knock on the firewall, which is comforting.
– Medynsky
Feb 12 at 8:48
1
You deal with it by inserting your port 3490 rule at the correct position (say, at the very beginning or somewhere in the middle), instead of at the end of INPUT. (Don't pay any attention to the FORWARD chain; it does not apply to your packet.)
– grawity
Feb 12 at 9:21
I have
-A INPUT -j REJECT --reject-with icmp-host-prohibited
after the input for port 22 but before my addition to port 3490 and -A FORWARD -j REJECT --reject-with icmp-host-prohibited
at the very end right before COMMIT
. I'm guessing this is the "block all" you mentioned, though I'm not sure how to deal with it. I tried the tcp dump command you provided. Telneting in from my machine I could watch my packets knock on the firewall, which is comforting.– Medynsky
Feb 12 at 8:48
I have
-A INPUT -j REJECT --reject-with icmp-host-prohibited
after the input for port 22 but before my addition to port 3490 and -A FORWARD -j REJECT --reject-with icmp-host-prohibited
at the very end right before COMMIT
. I'm guessing this is the "block all" you mentioned, though I'm not sure how to deal with it. I tried the tcp dump command you provided. Telneting in from my machine I could watch my packets knock on the firewall, which is comforting.– Medynsky
Feb 12 at 8:48
1
1
You deal with it by inserting your port 3490 rule at the correct position (say, at the very beginning or somewhere in the middle), instead of at the end of INPUT. (Don't pay any attention to the FORWARD chain; it does not apply to your packet.)
– grawity
Feb 12 at 9:21
You deal with it by inserting your port 3490 rule at the correct position (say, at the very beginning or somewhere in the middle), instead of at the end of INPUT. (Don't pay any attention to the FORWARD chain; it does not apply to your packet.)
– grawity
Feb 12 at 9:21
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1404718%2fconnection-to-remote-server-hangs-indefinitely%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown