Join Log in
Score:0
avatar Server

Arch Linux, incoming remote connections get dropped

cn flag
stevereds

I'm running into an issue on my (up to date) Arch Linux server. I've been able to reproduce it with netcat.

If I start listening on my server with:

ncat -l -p 2000 -k

and then

telnet (my local ip) 2000

from a local machine, I'm able to see the connection working both ways.

However, if I telnet from a remote machine, the connection is established but nothing I type on the server side appears on the remote side. If I type something on the remote side, as soon as Enter is pressed the first line appears on the server side, but then the connection gets dropped with Connection closed by foreign host..

I was able to confirm that this issue is not related to my router: forwarding the same port to another Debian machine everything works. This prevents nginx and other servers from working.

I don't have any iptables rules at the moment:

$ iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

ncat:

# ncat -l -p 2000 -k -v             
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::2000
Ncat: Listening on 0.0.0.0:2000


Ncat: Connection from (remote public ip).
Ncat: Connection from (remote public ip):60990.

tcpdump on the local machine:

# tcpdump -nnvvS port 2000
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:09:46.847867 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    (server local ip).2000 > (remote public ip).60990: Flags [S.], cksum 0x5399 (incorrect -> 0x8744), seq 1434025023, ack 276028935, win 65160, options [mss 1460,sackOK,TS val 422478433 ecr 3525397188,nop,wscale 7], length 0
13:09:46.870265 IP (tos 0x0, ttl 64, id 14989, offset 0, flags [DF], proto TCP (6), length 53)
    (server local ip).2000 > (remote public ip).60990: Flags [P.], cksum 0x5392 (incorrect -> 0xa864), seq 1434025024:1434025025, ack 276028935, win 510, options [nop,nop,TS val 422478455 ecr 3525397212], length 1
13:09:49.931230 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    (server local ip).2000 > (remote public ip).60990: Flags [R], cksum 0x94ad (correct), seq 1434025024, win 0, length 0

tcpdump on the remote machine:

# tcpdump -nnvvS port 2000
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:09:46.835291 IP (tos 0x10, ttl 64, id 59780, offset 0, flags [DF], proto TCP (6), length 60)
    (remote public ip).60990 > (server public ip).2000: Flags [S], cksum 0xff3a (incorrect -> 0x4c94), seq 276028934, win 64240, options [mss 1460,sackOK,TS val 3525397188 ecr 0,nop,wscale 7], length 0
13:09:46.858924 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    (server public ip).2000 > (remote public ip).60990: Flags [S.], cksum 0xdbaa (correct), seq 1434025023, ack 276028935, win 65160, options [mss 1452,sackOK,TS val 422478433 ecr 3525397188,nop,wscale 7], length 0
13:09:46.858957 IP (tos 0x10, ttl 64, id 59781, offset 0, flags [DF], proto TCP (6), length 52)
    (remote public ip).60990 > (server public ip).2000: Flags [.], cksum 0xff32 (incorrect -> 0x06ea), seq 276028935, ack 1434025024, win 502, options [nop,nop,TS val 3525397212 ecr 422478433], length 0
13:09:49.920045 IP (tos 0x10, ttl 64, id 59782, offset 0, flags [DF], proto TCP (6), length 58)
    (remote public ip).60990 > (server public ip).2000: Flags [P.], cksum 0xff38 (incorrect -> 0x0603), seq 276028935:276028941, ack 1434025024, win 502, options [nop,nop,TS val 3525400273 ecr 422478433], length 6
13:09:49.941752 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    (server public ip).2000 > (remote public ip).60990: Flags [R], cksum 0xe90b (correct), seq 1434025024, win 0, length 0
84
0 + 0
Copy Run Start avatar
jp flag
Copy Run Start
Does `nft list tables` list anything?
0
Reply
cn flag
stevereds
Nope, the output is empty.
0
Reply
Anton Danilov avatar
cn flag
Anton Danilov
In every strange network issue run the tcpdump. Capture the traffic and paste the output into the question.
0
Reply
cn flag
stevereds
I've never used tcpdump before, how should I run it?
0
Reply
MTG avatar
aq flag
MTG
your FORWARD is clearly DROP ing things. One sided connection means something is letting packets in one way but not the other way round. another station working doesn't mean firewall on your router is open to everything. telnet can be misleading. you should have proof that telnet actually connects, e.g. with netstat on both sides. better use nc with -v , also do a "tcpdump -n" on both sides and check traffic.
0
Reply
cn flag
stevereds
I have updated the question with tcpdumps. I've also reset iptables, now the default policy for FORWARD is ACCEPT.
0
Reply
Score:0
user3188140 avatar Server
ru flag
user3188140

As your tcpdump shows server_local_ip and server_public_ip - do you have multiple ip addresses on your server? This might be a problem with routing and if it is you should configure policy routing.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.