We help IT Professionals succeed at work.

Can't telnet to an open port.

HappyEngineer
on
3,286 Views
Last Modified: 2013-12-15
I have two systems connected to the same router. One is a WinXP machine and the other is CentOS 4. Both machines can ping each other (after I enabled icmp responses in the windows firewall). I can also transfer files from the WinXP machine to the CentOS machine using an sftp client.

On the CentOS machine I can "telnet localhost 8080" to connect to the webapp server (Jetty). But, I can't telnet to port 8080 from the WinXP machien to the CentOS machien.

In short, I have a jetty webapp server running on port 8080 on the CentOS machine and I want to be able to connect to it from the WinXP machine. If I run tcpdump on the CentOS machine and do "telnet 192.168.42.101 8080" from the winxp machine then it outputs the following on the CentOS machine and eventually times out with "Connecting To 192.168.42.101...Could not open connection to the host, on port 8080: Connect failed" on the winxp machine.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
18:53:06.171867 arp who-has 192.168.42.101 tell 192.168.42.2
18:53:06.197747 arp reply 192.168.42.101 is-at 00:50:04:88:80:1f
18:53:06.172017 IP 192.168.42.2.3834 > 192.168.42.101.webcache: S 469796310:469796310(0) win 65535 <mss 1460,nop,nop,sackOK>
18:53:06.172036 IP 192.168.42.101 > 192.168.42.2: icmp 56: host 192.168.42.101 unreachable - admin prohibited
18:53:06.172300 IP 192.168.42.101.32770 > dnsr1.sbcglobal.net.domain:  26054+ PTR? 101.42.168.192.in-addr.arpa. (45)
18:53:06.184798 IP dnsr1.sbcglobal.net.domain > 192.168.42.101.32770:  26054 NXDomain* 0/1/0 (101)
18:53:06.184884 IP 192.168.42.101.32770 > dnsr1.sbcglobal.net.domain:  47558+ PTR? 2.42.168.192.in-addr.arpa. (43)
18:53:06.197706 IP dnsr1.sbcglobal.net.domain > 192.168.42.101.32770:  47558 NXDomain* 0/1/0 (99)
18:53:06.197873 IP 192.168.42.101.32770 > dnsr1.sbcglobal.net.domain:  18102+ PTR? 1.156.94.68.in-addr.arpa. (42)
18:53:06.210314 IP dnsr1.sbcglobal.net.domain > 192.168.42.101.32770:  18102* 1/1/1 PTR[|domain]
18:53:09.130915 IP 192.168.42.2.3834 > 192.168.42.101.webcache: S 469796310:469796310(0) win 65535 <mss 1460,nop,nop,sackOK>
18:53:09.130936 IP 192.168.42.101 > 192.168.42.2: icmp 56: host 192.168.42.101 unreachable - admin prohibited
18:53:11.171165 arp who-has 192.168.42.2 tell 192.168.42.101
18:53:11.171427 arp reply 192.168.42.2 is-at 00:1a:92:d5:37:9f
18:53:11.172182 arp who-has 192.168.42.1 tell 192.168.42.101
18:53:11.172287 IP 192.168.42.101.32770 > dnsr1.sbcglobal.net.domain:  42910+ PTR? 1.42.168.192.in-addr.arpa. (43)
18:53:11.172405 arp reply 192.168.42.1 is-at 00:0e:db:00:0b:71
18:53:11.185458 IP dnsr1.sbcglobal.net.domain > 192.168.42.101.32770:  42910 NXDomain* 0/1/0 (99)
18:53:15.150367 IP 192.168.42.2.3834 > 192.168.42.101.webcache: S 469796310:469796310(0) win 65535 <mss 1460,nop,nop,sackOK>
18:53:15.150386 IP 192.168.42.101 > 192.168.42.2: icmp 56: host 192.168.42.101 unreachable - admin prohibited


Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007

Commented:
Check your iptables since you could have a role that deny connections to 8080.

Author

Commented:
I ran iptables -L and it gave me the following. I don't know how to interpret it though. It sort of looks like the last line says that all packets not caught by the above rules should be rejected. Does that mean I need to add an entry which allows for connecting to port 8080? If so, what would that command be?



Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
CERTIFIED EXPERT
Top Expert 2007
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Ok I figured it out. I edited the /etc/sysconfig/iptables file directly and copied one of the lines for another service and put my own in with a different port:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT -s 192.168.42.0/24

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.