Score:0

Server

How do I figure out what prevents incoming connections on a certain port?

einpoklum

2/9/23, 8:50 AM

I would like to enable SSH connections on an additional port on my machine, for reasons. It is a physical machine (not a VM), running Devuan GNU/Linux Chimaera (~= Debian 11.0 without systemd). The default SSH server (OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1k) is running fine and accepting connections on port 22 already.

I've added two Port entries to my /etc/sshd_config:

Port 22
Port 5123

and have restarted the service.

What I now experience is that from within the same machine, I can connect to both ports (ssh -p 5123 localhost works); but from other machines on the LAN, I can only connect to port 22. This is a physical LAN (cables running to a switch), so there should be no blockage along the way.

I couldn't find any mention of a rejected connection in /var/log/auth.log.
I checked /etc/hosts.allow and /etc/hosts.deny - they're both empty (except for comment lines).
I tried iptables --list - all tables are empty.

So, what could be blocking the connection on port 5123 from other machines, and how can I unblock it?

Edit: Additional information:

# lsof -Pi :5410
COMMAND   PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
sshd    27566 root    3u  IPv4 19305483      0t0  TCP *:5410 (LISTEN)
sshd    27566 root    4u  IPv6 19305485      0t0  TCP *:5410 (LISTEN)

# iptables-save
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
# iptables-legacy-save 
# Generated by iptables-save v1.8.7 on Sun Oct 10 09:30:15 2021
*filter
:INPUT DROP [3837243:374065333]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8124295:583169789]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sun Oct 10 09:30:15 2021

So it looks like there's a rule for accepting port 22 as input, but no such rule for port 5123. The question remains, though - what's the cause of this situation?

# cat /etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0;
    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;
    }
}

On Debian 11, and Devuan Chimaera, iptables is actually a symlink:

# readlink  `which iptables`
/etc/alternatives/iptables
# readlink -f `which iptables`
/usr/sbin/xtables-nft-multi

119

0 + 0

ssh

port

block

A.B

2/9/23, 10:00 AM

`iptables-save` + `nft list ruleset` (test both or only the later) would really tell there is no firewall. `iptables --list` displays only one of multiple possible tables (and in a format that can't be reused anyway). Just to rule out this possible cause and move on to other guesses.

djdomi

2/9/23, 9:37 PM

hows about first anf easy `lsof -Pi :5123` to verify that the port is listed to anywhere. since you did not tell which hoster the server beeing be, we need more, a hell more context

einpoklum

2/10/23, 6:37 AM

@A.B: See edit.

einpoklum

2/10/23, 6:37 AM

@djdomi : See edit.

A.B

2/10/23, 6:58 AM

Between "I tried iptables --list - all tables are empty" and the actual firewall rules with default drop... it certainly changed. Then there's also (probably empty but who knows?) rules using the former API (`iptables-legacy-save`).

A.B

2/10/23, 7:09 AM

Maybe `iptables` is symlinked to `iptables-legacy` while `iptables-save` and `iptables-restore` are linked to `iptables-nft-save` and `iptables-nft-restore` (aka `xtables-nft-multi`) which would explain this part.

djdomi

2/10/23, 11:12 AM

still missing information what hoster is used.

einpoklum

2/10/23, 7:10 PM

@djdomi: I didn't quite understand what you meant in that second sentence... "hoster"? "beeing be"?

einpoklum

2/10/23, 7:12 PM

@A.B: Yes, it's linked to `xtables-nft-multi`.

djdomi

2/10/23, 7:31 PM

do you host on your own or use a public hoster ehich might be the issue.some ports are on different hosters blocked

einpoklum

2/10/23, 7:33 PM

@djdomi: I'm discussing physical machines on a physical LAN, nobody is hosting anything... :-P

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How do I figure out what prevents incoming connections on a certain port?

TH: ฉันจะทราบได้อย่างไรว่าอะไรที่ขัดขวางการเชื่อมต่อขาเข้าบนพอร์ตบางพอร์ต

RO: Cum îmi dau seama ce împiedică conexiunile de intrare pe un anumit port?

RU: Как выяснить, что препятствует входящим соединениям на определенном порту?

VI: How do I figure out what prevents incoming connections on a certain port?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.