HappyEngineer
asked on
Can't telnet to an open port.
I have two systems connected to the same router. One is a WinXP machine and the other is CentOS 4. Both machines can ping each other (after I enabled icmp responses in the windows firewall). I can also transfer files from the WinXP machine to the CentOS machine using an sftp client.
On the CentOS machine I can "telnet localhost 8080" to connect to the webapp server (Jetty). But, I can't telnet to port 8080 from the WinXP machien to the CentOS machien.
In short, I have a jetty webapp server running on port 8080 on the CentOS machine and I want to be able to connect to it from the WinXP machine. If I run tcpdump on the CentOS machine and do "telnet 192.168.42.101 8080" from the winxp machine then it outputs the following on the CentOS machine and eventually times out with "Connecting To 192.168.42.101...Could not open connection to the host, on port 8080: Connect failed" on the winxp machine.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
18:53:06.171867 arp who-has 192.168.42.101 tell 192.168.42.2
18:53:06.197747 arp reply 192.168.42.101 is-at 00:50:04:88:80:1f
18:53:06.172017 IP 192.168.42.2.3834 > 192.168.42.101.webcache: S 469796310:469796310(0) win 65535 <mss 1460,nop,nop,sackOK>
18:53:06.172036 IP 192.168.42.101 > 192.168.42.2: icmp 56: host 192.168.42.101 unreachable - admin prohibited
18:53:06.172300 IP 192.168.42.101.32770 > dnsr1.sbcglobal.net.domain
18:53:06.184798 IP dnsr1.sbcglobal.net.domain
18:53:06.184884 IP 192.168.42.101.32770 > dnsr1.sbcglobal.net.domain
18:53:06.197706 IP dnsr1.sbcglobal.net.domain
18:53:06.197873 IP 192.168.42.101.32770 > dnsr1.sbcglobal.net.domain
18:53:06.210314 IP dnsr1.sbcglobal.net.domain
18:53:09.130915 IP 192.168.42.2.3834 > 192.168.42.101.webcache: S 469796310:469796310(0) win 65535 <mss 1460,nop,nop,sackOK>
18:53:09.130936 IP 192.168.42.101 > 192.168.42.2: icmp 56: host 192.168.42.101 unreachable - admin prohibited
18:53:11.171165 arp who-has 192.168.42.2 tell 192.168.42.101
18:53:11.171427 arp reply 192.168.42.2 is-at 00:1a:92:d5:37:9f
18:53:11.172182 arp who-has 192.168.42.1 tell 192.168.42.101
18:53:11.172287 IP 192.168.42.101.32770 > dnsr1.sbcglobal.net.domain
18:53:11.172405 arp reply 192.168.42.1 is-at 00:0e:db:00:0b:71
18:53:11.185458 IP dnsr1.sbcglobal.net.domain
18:53:15.150367 IP 192.168.42.2.3834 > 192.168.42.101.webcache: S 469796310:469796310(0) win 65535 <mss 1460,nop,nop,sackOK>
18:53:15.150386 IP 192.168.42.101 > 192.168.42.2: icmp 56: host 192.168.42.101 unreachable - admin prohibited
On the CentOS machine I can "telnet localhost 8080" to connect to the webapp server (Jetty). But, I can't telnet to port 8080 from the WinXP machien to the CentOS machien.
In short, I have a jetty webapp server running on port 8080 on the CentOS machine and I want to be able to connect to it from the WinXP machine. If I run tcpdump on the CentOS machine and do "telnet 192.168.42.101 8080" from the winxp machine then it outputs the following on the CentOS machine and eventually times out with "Connecting To 192.168.42.101...Could not open connection to the host, on port 8080: Connect failed" on the winxp machine.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
18:53:06.171867 arp who-has 192.168.42.101 tell 192.168.42.2
18:53:06.197747 arp reply 192.168.42.101 is-at 00:50:04:88:80:1f
18:53:06.172017 IP 192.168.42.2.3834 > 192.168.42.101.webcache: S 469796310:469796310(0) win 65535 <mss 1460,nop,nop,sackOK>
18:53:06.172036 IP 192.168.42.101 > 192.168.42.2: icmp 56: host 192.168.42.101 unreachable - admin prohibited
18:53:06.172300 IP 192.168.42.101.32770 > dnsr1.sbcglobal.net.domain
18:53:06.184798 IP dnsr1.sbcglobal.net.domain
18:53:06.184884 IP 192.168.42.101.32770 > dnsr1.sbcglobal.net.domain
18:53:06.197706 IP dnsr1.sbcglobal.net.domain
18:53:06.197873 IP 192.168.42.101.32770 > dnsr1.sbcglobal.net.domain
18:53:06.210314 IP dnsr1.sbcglobal.net.domain
18:53:09.130915 IP 192.168.42.2.3834 > 192.168.42.101.webcache: S 469796310:469796310(0) win 65535 <mss 1460,nop,nop,sackOK>
18:53:09.130936 IP 192.168.42.101 > 192.168.42.2: icmp 56: host 192.168.42.101 unreachable - admin prohibited
18:53:11.171165 arp who-has 192.168.42.2 tell 192.168.42.101
18:53:11.171427 arp reply 192.168.42.2 is-at 00:1a:92:d5:37:9f
18:53:11.172182 arp who-has 192.168.42.1 tell 192.168.42.101
18:53:11.172287 IP 192.168.42.101.32770 > dnsr1.sbcglobal.net.domain
18:53:11.172405 arp reply 192.168.42.1 is-at 00:0e:db:00:0b:71
18:53:11.185458 IP dnsr1.sbcglobal.net.domain
18:53:15.150367 IP 192.168.42.2.3834 > 192.168.42.101.webcache: S 469796310:469796310(0) win 65535 <mss 1460,nop,nop,sackOK>
18:53:15.150386 IP 192.168.42.101 > 192.168.42.2: icmp 56: host 192.168.42.101 unreachable - admin prohibited
omarfarid
Check your iptables since you could have a role that deny connections to 8080.
ASKER
I ran iptables -L and it gave me the following. I don't know how to interpret it though. It sort of looks like the last line says that all packets not caught by the above rules should be rejected. Does that mean I need to add an entry which allows for connecting to port 8080? If so, what would that command be?
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok I figured it out. I edited the /etc/sysconfig/iptables file directly and copied one of the lines for another service and put my own in with a different port:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT -s 192.168.42.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT -s 192.168.42.0/24