Connection to remote server hangs indefinitely












0















I have a server running Fedora 23. When I run a simple server application on it (the example given here, only with the port and IP address changed) it opens port 3490 and listens for the client to connect. Once the client connects it is supposed to responds, and end. However the client program when run on a remote machine just hangs indefinitely and never connects.
Here is the output of netstat -tuplen on the server while the server side program is running. Program is "./server" here.



Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 581266095 139/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 581266893 178/sendmail: accep
tcp 0 0 0.0.0.0:3490 0.0.0.0:* LISTEN 0 1781896327 23696/./server
tcp6 0 0 :::22 :::* LISTEN 0 581266097 139/sshd
tcp6 0 0 :::3306 :::* LISTEN 27 1762178376 18622/mysqld
tcp6 0 0 :::80 :::* LISTEN 0 581266785 149/httpd


When I try to telnet in to the port while the software is running I get Trying [server IP]... until it times out. When I run the server and client software on the same machine, and just connect locally over 127.0.0.1, they work perfectly.



While the server software is running I preformed a scan with nmap on my remote machine, specifically nmap -T4 -A -v [server IP]/3490. It picks up the ssh port "22" I was connected to at the time from a third machine, but not the 3490 port, or any other port for that matter. The traceroute is 12 hops long from my local machine to the server, if that influences anything.



Before running the server application I ran



/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3490 -j ACCEPT


and then



service iptables save


to allow connections to the port through the firewall.
However while this may have opened up the port on the firewall, it didn't let the client and server programs connect. What am I doing wrong? What do I need to change? Where should I check to learn more about the problem and get closer to fixing it?










share|improve this question



























    0















    I have a server running Fedora 23. When I run a simple server application on it (the example given here, only with the port and IP address changed) it opens port 3490 and listens for the client to connect. Once the client connects it is supposed to responds, and end. However the client program when run on a remote machine just hangs indefinitely and never connects.
    Here is the output of netstat -tuplen on the server while the server side program is running. Program is "./server" here.



    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 581266095 139/sshd
    tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 581266893 178/sendmail: accep
    tcp 0 0 0.0.0.0:3490 0.0.0.0:* LISTEN 0 1781896327 23696/./server
    tcp6 0 0 :::22 :::* LISTEN 0 581266097 139/sshd
    tcp6 0 0 :::3306 :::* LISTEN 27 1762178376 18622/mysqld
    tcp6 0 0 :::80 :::* LISTEN 0 581266785 149/httpd


    When I try to telnet in to the port while the software is running I get Trying [server IP]... until it times out. When I run the server and client software on the same machine, and just connect locally over 127.0.0.1, they work perfectly.



    While the server software is running I preformed a scan with nmap on my remote machine, specifically nmap -T4 -A -v [server IP]/3490. It picks up the ssh port "22" I was connected to at the time from a third machine, but not the 3490 port, or any other port for that matter. The traceroute is 12 hops long from my local machine to the server, if that influences anything.



    Before running the server application I ran



    /sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3490 -j ACCEPT


    and then



    service iptables save


    to allow connections to the port through the firewall.
    However while this may have opened up the port on the firewall, it didn't let the client and server programs connect. What am I doing wrong? What do I need to change? Where should I check to learn more about the problem and get closer to fixing it?










    share|improve this question

























      0












      0








      0








      I have a server running Fedora 23. When I run a simple server application on it (the example given here, only with the port and IP address changed) it opens port 3490 and listens for the client to connect. Once the client connects it is supposed to responds, and end. However the client program when run on a remote machine just hangs indefinitely and never connects.
      Here is the output of netstat -tuplen on the server while the server side program is running. Program is "./server" here.



      Active Internet connections (only servers)
      Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
      tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 581266095 139/sshd
      tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 581266893 178/sendmail: accep
      tcp 0 0 0.0.0.0:3490 0.0.0.0:* LISTEN 0 1781896327 23696/./server
      tcp6 0 0 :::22 :::* LISTEN 0 581266097 139/sshd
      tcp6 0 0 :::3306 :::* LISTEN 27 1762178376 18622/mysqld
      tcp6 0 0 :::80 :::* LISTEN 0 581266785 149/httpd


      When I try to telnet in to the port while the software is running I get Trying [server IP]... until it times out. When I run the server and client software on the same machine, and just connect locally over 127.0.0.1, they work perfectly.



      While the server software is running I preformed a scan with nmap on my remote machine, specifically nmap -T4 -A -v [server IP]/3490. It picks up the ssh port "22" I was connected to at the time from a third machine, but not the 3490 port, or any other port for that matter. The traceroute is 12 hops long from my local machine to the server, if that influences anything.



      Before running the server application I ran



      /sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3490 -j ACCEPT


      and then



      service iptables save


      to allow connections to the port through the firewall.
      However while this may have opened up the port on the firewall, it didn't let the client and server programs connect. What am I doing wrong? What do I need to change? Where should I check to learn more about the problem and get closer to fixing it?










      share|improve this question














      I have a server running Fedora 23. When I run a simple server application on it (the example given here, only with the port and IP address changed) it opens port 3490 and listens for the client to connect. Once the client connects it is supposed to responds, and end. However the client program when run on a remote machine just hangs indefinitely and never connects.
      Here is the output of netstat -tuplen on the server while the server side program is running. Program is "./server" here.



      Active Internet connections (only servers)
      Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
      tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 581266095 139/sshd
      tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 581266893 178/sendmail: accep
      tcp 0 0 0.0.0.0:3490 0.0.0.0:* LISTEN 0 1781896327 23696/./server
      tcp6 0 0 :::22 :::* LISTEN 0 581266097 139/sshd
      tcp6 0 0 :::3306 :::* LISTEN 27 1762178376 18622/mysqld
      tcp6 0 0 :::80 :::* LISTEN 0 581266785 149/httpd


      When I try to telnet in to the port while the software is running I get Trying [server IP]... until it times out. When I run the server and client software on the same machine, and just connect locally over 127.0.0.1, they work perfectly.



      While the server software is running I preformed a scan with nmap on my remote machine, specifically nmap -T4 -A -v [server IP]/3490. It picks up the ssh port "22" I was connected to at the time from a third machine, but not the 3490 port, or any other port for that matter. The traceroute is 12 hops long from my local machine to the server, if that influences anything.



      Before running the server application I ran



      /sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3490 -j ACCEPT


      and then



      service iptables save


      to allow connections to the port through the firewall.
      However while this may have opened up the port on the firewall, it didn't let the client and server programs connect. What am I doing wrong? What do I need to change? Where should I check to learn more about the problem and get closer to fixing it?







      networking firewall port






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Feb 12 at 6:05









      MedynskyMedynsky

      287




      287






















          1 Answer
          1






          active

          oldest

          votes


















          1














          You probably haven't actually allowed the connections through the firewall.



          Iptables rules are read top-to-bottom, "first match wins", so if your INPUT chain had a global 'block all' rule at the end, anything added below that rule is simply never checked. Run iptables-save or iptables -L -v -n --line-numbers and just read your INPUT rules from top to bottom to see what checks are made to the packet.



          The -A in the command means "append" and adds the new rule at the end. The opposite is -I, "insert", which places it at the top; both also take a specific position number to place the rule before/after. For example, if you want to add the new rule at position 4:



          iptables -I INPUT 4 -p tcp ... -j ...


          You can also do this:



          iptables-save > rules.txt
          nano rules.txt
          iptables-restore < rules.txt




          Note that a firewall may exist elsewhere, e.g. packets may be filtered by the server's network. Use tcpdump to determine whether the packets at least reach the server:



          tcpdump -n -i eth0 "port 3490"





          share|improve this answer


























          • I have -A INPUT -j REJECT --reject-with icmp-host-prohibited after the input for port 22 but before my addition to port 3490 and -A FORWARD -j REJECT --reject-with icmp-host-prohibited at the very end right before COMMIT. I'm guessing this is the "block all" you mentioned, though I'm not sure how to deal with it. I tried the tcp dump command you provided. Telneting in from my machine I could watch my packets knock on the firewall, which is comforting.

            – Medynsky
            Feb 12 at 8:48






          • 1





            You deal with it by inserting your port 3490 rule at the correct position (say, at the very beginning or somewhere in the middle), instead of at the end of INPUT. (Don't pay any attention to the FORWARD chain; it does not apply to your packet.)

            – grawity
            Feb 12 at 9:21













          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1404718%2fconnection-to-remote-server-hangs-indefinitely%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          You probably haven't actually allowed the connections through the firewall.



          Iptables rules are read top-to-bottom, "first match wins", so if your INPUT chain had a global 'block all' rule at the end, anything added below that rule is simply never checked. Run iptables-save or iptables -L -v -n --line-numbers and just read your INPUT rules from top to bottom to see what checks are made to the packet.



          The -A in the command means "append" and adds the new rule at the end. The opposite is -I, "insert", which places it at the top; both also take a specific position number to place the rule before/after. For example, if you want to add the new rule at position 4:



          iptables -I INPUT 4 -p tcp ... -j ...


          You can also do this:



          iptables-save > rules.txt
          nano rules.txt
          iptables-restore < rules.txt




          Note that a firewall may exist elsewhere, e.g. packets may be filtered by the server's network. Use tcpdump to determine whether the packets at least reach the server:



          tcpdump -n -i eth0 "port 3490"





          share|improve this answer


























          • I have -A INPUT -j REJECT --reject-with icmp-host-prohibited after the input for port 22 but before my addition to port 3490 and -A FORWARD -j REJECT --reject-with icmp-host-prohibited at the very end right before COMMIT. I'm guessing this is the "block all" you mentioned, though I'm not sure how to deal with it. I tried the tcp dump command you provided. Telneting in from my machine I could watch my packets knock on the firewall, which is comforting.

            – Medynsky
            Feb 12 at 8:48






          • 1





            You deal with it by inserting your port 3490 rule at the correct position (say, at the very beginning or somewhere in the middle), instead of at the end of INPUT. (Don't pay any attention to the FORWARD chain; it does not apply to your packet.)

            – grawity
            Feb 12 at 9:21


















          1














          You probably haven't actually allowed the connections through the firewall.



          Iptables rules are read top-to-bottom, "first match wins", so if your INPUT chain had a global 'block all' rule at the end, anything added below that rule is simply never checked. Run iptables-save or iptables -L -v -n --line-numbers and just read your INPUT rules from top to bottom to see what checks are made to the packet.



          The -A in the command means "append" and adds the new rule at the end. The opposite is -I, "insert", which places it at the top; both also take a specific position number to place the rule before/after. For example, if you want to add the new rule at position 4:



          iptables -I INPUT 4 -p tcp ... -j ...


          You can also do this:



          iptables-save > rules.txt
          nano rules.txt
          iptables-restore < rules.txt




          Note that a firewall may exist elsewhere, e.g. packets may be filtered by the server's network. Use tcpdump to determine whether the packets at least reach the server:



          tcpdump -n -i eth0 "port 3490"





          share|improve this answer


























          • I have -A INPUT -j REJECT --reject-with icmp-host-prohibited after the input for port 22 but before my addition to port 3490 and -A FORWARD -j REJECT --reject-with icmp-host-prohibited at the very end right before COMMIT. I'm guessing this is the "block all" you mentioned, though I'm not sure how to deal with it. I tried the tcp dump command you provided. Telneting in from my machine I could watch my packets knock on the firewall, which is comforting.

            – Medynsky
            Feb 12 at 8:48






          • 1





            You deal with it by inserting your port 3490 rule at the correct position (say, at the very beginning or somewhere in the middle), instead of at the end of INPUT. (Don't pay any attention to the FORWARD chain; it does not apply to your packet.)

            – grawity
            Feb 12 at 9:21
















          1












          1








          1







          You probably haven't actually allowed the connections through the firewall.



          Iptables rules are read top-to-bottom, "first match wins", so if your INPUT chain had a global 'block all' rule at the end, anything added below that rule is simply never checked. Run iptables-save or iptables -L -v -n --line-numbers and just read your INPUT rules from top to bottom to see what checks are made to the packet.



          The -A in the command means "append" and adds the new rule at the end. The opposite is -I, "insert", which places it at the top; both also take a specific position number to place the rule before/after. For example, if you want to add the new rule at position 4:



          iptables -I INPUT 4 -p tcp ... -j ...


          You can also do this:



          iptables-save > rules.txt
          nano rules.txt
          iptables-restore < rules.txt




          Note that a firewall may exist elsewhere, e.g. packets may be filtered by the server's network. Use tcpdump to determine whether the packets at least reach the server:



          tcpdump -n -i eth0 "port 3490"





          share|improve this answer















          You probably haven't actually allowed the connections through the firewall.



          Iptables rules are read top-to-bottom, "first match wins", so if your INPUT chain had a global 'block all' rule at the end, anything added below that rule is simply never checked. Run iptables-save or iptables -L -v -n --line-numbers and just read your INPUT rules from top to bottom to see what checks are made to the packet.



          The -A in the command means "append" and adds the new rule at the end. The opposite is -I, "insert", which places it at the top; both also take a specific position number to place the rule before/after. For example, if you want to add the new rule at position 4:



          iptables -I INPUT 4 -p tcp ... -j ...


          You can also do this:



          iptables-save > rules.txt
          nano rules.txt
          iptables-restore < rules.txt




          Note that a firewall may exist elsewhere, e.g. packets may be filtered by the server's network. Use tcpdump to determine whether the packets at least reach the server:



          tcpdump -n -i eth0 "port 3490"






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Feb 12 at 9:25

























          answered Feb 12 at 6:18









          grawitygrawity

          240k37508562




          240k37508562













          • I have -A INPUT -j REJECT --reject-with icmp-host-prohibited after the input for port 22 but before my addition to port 3490 and -A FORWARD -j REJECT --reject-with icmp-host-prohibited at the very end right before COMMIT. I'm guessing this is the "block all" you mentioned, though I'm not sure how to deal with it. I tried the tcp dump command you provided. Telneting in from my machine I could watch my packets knock on the firewall, which is comforting.

            – Medynsky
            Feb 12 at 8:48






          • 1





            You deal with it by inserting your port 3490 rule at the correct position (say, at the very beginning or somewhere in the middle), instead of at the end of INPUT. (Don't pay any attention to the FORWARD chain; it does not apply to your packet.)

            – grawity
            Feb 12 at 9:21





















          • I have -A INPUT -j REJECT --reject-with icmp-host-prohibited after the input for port 22 but before my addition to port 3490 and -A FORWARD -j REJECT --reject-with icmp-host-prohibited at the very end right before COMMIT. I'm guessing this is the "block all" you mentioned, though I'm not sure how to deal with it. I tried the tcp dump command you provided. Telneting in from my machine I could watch my packets knock on the firewall, which is comforting.

            – Medynsky
            Feb 12 at 8:48






          • 1





            You deal with it by inserting your port 3490 rule at the correct position (say, at the very beginning or somewhere in the middle), instead of at the end of INPUT. (Don't pay any attention to the FORWARD chain; it does not apply to your packet.)

            – grawity
            Feb 12 at 9:21



















          I have -A INPUT -j REJECT --reject-with icmp-host-prohibited after the input for port 22 but before my addition to port 3490 and -A FORWARD -j REJECT --reject-with icmp-host-prohibited at the very end right before COMMIT. I'm guessing this is the "block all" you mentioned, though I'm not sure how to deal with it. I tried the tcp dump command you provided. Telneting in from my machine I could watch my packets knock on the firewall, which is comforting.

          – Medynsky
          Feb 12 at 8:48





          I have -A INPUT -j REJECT --reject-with icmp-host-prohibited after the input for port 22 but before my addition to port 3490 and -A FORWARD -j REJECT --reject-with icmp-host-prohibited at the very end right before COMMIT. I'm guessing this is the "block all" you mentioned, though I'm not sure how to deal with it. I tried the tcp dump command you provided. Telneting in from my machine I could watch my packets knock on the firewall, which is comforting.

          – Medynsky
          Feb 12 at 8:48




          1




          1





          You deal with it by inserting your port 3490 rule at the correct position (say, at the very beginning or somewhere in the middle), instead of at the end of INPUT. (Don't pay any attention to the FORWARD chain; it does not apply to your packet.)

          – grawity
          Feb 12 at 9:21







          You deal with it by inserting your port 3490 rule at the correct position (say, at the very beginning or somewhere in the middle), instead of at the end of INPUT. (Don't pay any attention to the FORWARD chain; it does not apply to your packet.)

          – grawity
          Feb 12 at 9:21




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1404718%2fconnection-to-remote-server-hangs-indefinitely%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Probability when a professor distributes a quiz and homework assignment to a class of n students.

          Aardman Animations

          Are they similar matrix