If you've ever tried to launch anything that opens a port on your linux machine and you'd like to know whether you've misconfigured something (e.g. the listen address), or whether you're running into firewall issues, you'll be grateful to find out that there's a simple way to test for firewall issues.
There's a tool called
netcat; It's part of almost any linux server setup I've worked on and it can be launched by typing
nc on your command line.
netcat has two modes:
- a calling mode
- a listening mode
We can use both of these, on two sides of our server to check if the firewall will let us pass or not.
On the machine where you'd like to run the server, which will be listen on a given port, say
54321, run this to open a listening
nc -vlk 54321
I'll break those arguments down for you:
vis for verbose: print more details about connections
lis for listening mode
kis for keep-open; This means that
netcatwill accept connections over and over again.
54321is for the listening port. By default,
netcatlistens on all IP-addresses it can find, but you can also limit it to a given IP-address, say your primary IP-address, so your service can be reached from your network, but not via localhost, for example.
You can stop
netcat by sending an interrupt signal (Ctrl + c).
Now, on the second machine, we'll launch another
netcat instance, which is set to connect to the first machine, by IP-address (or even hostname) and by port:
nc -vz 192.168.178.24 54321
Here, the arguments have the following meaning:
vis still for verbose
zis for Zero-I/O mode, meaning that
netcatwill initiate a connection and report success or failure, but won't transmit any data
192.168.178.24is my first machine's local IP-address
54321is the port that we'd like to connect to.
Please be aware that it's impossible to bind two applications to the same port. So as long as you have a
netcatrunning that listens on port
54321, trying to launch another application that should listen on
54321will fail. If in doubt, run
sudo killall ncto kill all netcats that may still be running in the background (If you launched the netcats detached, by adding a postfix
Do some testing
If you now run these two commands in different terminals, it might look like this:
- Open the port
[julian@linux1 ~]$ nc -vlk 54321 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::54321 Ncat: Listening on 0.0.0.0:54321
netcatnow is listening on all IPv6 addresses (
::is an IPv6 address wildcard) and all IPv4 addresses (
0.0.0.0is an IPv4 wildcard) registered on your system.
- Try to reach it
[julian@linux2 ~]$ nc -vz 192.168.178.24 54321 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Connected to 192.168.178.24:54321. Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.
- Now, your first terminal will show this:
[julian@linux1 ~]$ nc -vlk 54321 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::54321 Ncat: Listening on 0.0.0.0:54321 Ncat: Connection from 192.168.178.25. Ncat: Connection from 192.168.178.25:60842.
In this scenario, we succeeded with our testing. The port is open and if I now try to make my application available from my own network, I'll only have to troubleshoot the application itself and the configured listening address.
If a firewall was running that prevents my system from accepting connections through the specific port, I'd get something like this, and no new lines from the command on my first system:
[julian@linux2 ~]$ nc -vz 192.168.178.24 54321 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Connection refused.
You can also go ahead and experiment with
netcat and learn something about how listening addresses work:
nc -vlk 127.0.0.1 54321 and
nc -vz 192.168.178.24 54321 or
nc -vlk 192.168.178.24 54321 and
nc -vz 127.0.0.1 54321. Try what happens if you swap the IP-addresses around (Of course, you need to replace my IP-address with your own.).
Also, try what happens if you use the wrong wildcard:
nc -vlk :: 54321 or
nc -vlk 0.0.0.0 54321. In the former case, you'll only be able to connect to your machine via IPv6. In the latter case, you can only use IPv4 connections.
You could then reach it via a hostname and tell the connecting
netcat to only use IPv4 or IPv6 connections:
nc -vz6 hostname 54321 and
nc -vz4 hostname 54321
[julian@linux1 ~]$ nc -vlk :: 54321 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::54321 Ncat: Connection from 2003:dd:ff2f:d800:f4aa:8a99:f084:ee31. Ncat: Connection from 2003:dd:ff2f:d800:f4aa:8a99:f084:ee31:53090.
[julian@linux2 ~]$ nc -vz6 linux1 54321 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Connected to 2003:dd:ff2f:d800:f4aa:8a99:f084:dd41:54321. Ncat: 0 bytes sent, 0 bytes received in 0.02 seconds.
[julian@linux2 ~]$ nc -vz4 linux1 54321 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Connection refused.