how to check the connectivity to the destination server thru ONLY specific port

mac_g
mac_g used Ask the Experts™
on
I am sysadmin..I want to know

I want to reach the server, to check the connectivity thru specific port.
This is just to varify whether the required firewall rule defined properly or not.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
First ping the server.  Do you get a response?

Now map some folder:  NET USE T: \\server\folder and authenticate.   Does this work through your firewall?
If not, what numerical system error do you get?
ste5anSenior Developer

Commented:
telnet to that server and port.
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
do a  telnet to specific port,
if replies says open  > port opened
if replies refused > not opened.
u can work on the firewall rules after applying changes
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

mac_gAdmin - Middleware Servers

Author

Commented:
I know telnet options ..... .....but ..if the destination service down .. then telnet wont give more information, whether the issue with firewall or destination service. Both the case we get same results.


my focus is whether I can reach the server through specific port, to make sure network team done their job for firewall !

==
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
then you should use some related to service,

like for http service use curl, something like that for rest of the tcp / udp services.
mac_gAdmin - Middleware Servers

Author

Commented:
let me know commands/tool if you know. plz..
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
is it http serivice  runing  on the server side?
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
then  use curl http://host:port

this will help you
ste5anSenior Developer

Commented:
Well, that's in the nature of IP. You can only tell whether it works, when it works.

btw,
my focus is whether I can reach the server through specific port [..]
is not correctly phrased.
Also what kind of fw are we talking about?
mac_gAdmin - Middleware Servers

Author

Commented:
i am telling the scenario where service at the destination server not working ...
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
then you should go for some monitoring tools which checks the service is running or not?

 telnet it checks port is opened or not . you might have look some service discovery tool
mac_gAdmin - Middleware Servers

Author

Commented:
scenario is ..
firewall rule is defined &  destination service is down.

in that case, how to make sure that firewall defined(or not), using tools/commands ?

please advice
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
if you want to see firewall rule is working, block the port in firewall and enable the serivce in the server so telnet from the outside server should block.

for service up/down use a monitoring tool like zabbix or nagios.
mac_gAdmin - Middleware Servers

Author

Commented:
i am sysadmin/DBA... not network admin.

i want to assess just from my side .. using command or any small tools.
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
I hope other experts will help you to solve this issue.
information which i knows already conveyed.
mac_gAdmin - Middleware Servers

Author

Commented:
Thanks for time so far ..
I hope u are clear with my query  ..
ste5anSenior Developer

Commented:
in that case, how to make sure that firewall defined(or not), using tools/commands ?
Ask your network admins. Cause there is no standard tool set for this.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Netcat can help. The follow

nc -z -w 1 $ip $port >/dev/null 2>&1

Open in new window


Attempt to connect to $ip/$port, just connect + send no data, timeout after 1 second.

?$ == 0 means success.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
nagios plugins might be of help here.
depending on services they might provide some more info....

when connectingto the target the ICMP responce may help determining the problem.
Host unavailable, (ARP on it's gateway failed)
Port unavailable (The port is not opened, server is running)
etc. etc

See: https://exchange.nagios.org/directory/Plugins/Network-Protocols/*-TCP-and-UDP-(Generic)
mac_gAdmin - Middleware Servers

Author

Commented:
@NOCI, @David Favor

Are u people are using advised  tools ?

case 1) in the above command, firewall fine, & If the service is down for that port On server, doest this connect ?
case 2) firewall itself closed ?
==
Can you paste sample output in both the scenarios ?

===
mac_gAdmin - Middleware Servers

Author

Commented:
@NOCI, @David Favor,  



what will be output for below cases when we use  tool you people advised respective tool
===========================================================================

1)
source ---{   firewall         }   --------     {Target server, service port # 1001 }
             Rules Defined                         server-UP + service-UP

OUTPUT :

2)
source ---{   firewall         }   --------     {Target server, service port # 1001 }
             Rules Defined                         server-UP + service-DOWN


OUTPUT :

3)

source ---{   firewall         }   --------     {Target server, service port # 1001 }
             Rules*NOT*Defined                         server-UP + service-DOWN


OUTPUT :

======
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Yes i use Icinga  (it uses the nagio plugins) i monitor some ports on the network.
I have a cascaded check...
You can supply dependencies when using icinga/nagios.

Say A depends on B which depends on C which depends on D,
then if B fails  A is still checked and the checks for C & D are cancelled, because B fails any check beyond B would fail anyway.
So i have no examples of failure messages where if B fails to pass on traffic, what would happen on C or D.

From Icinga i verify ping to the firewall and some service on the firewall;
 If they succeed a ping check to my ISP is done;
 If they succeed a remote firewall ping, and then a packet through a tunnel (ping to inside the remote firewall), to verify a tunnel
Then a remote service is checked.
Those dependencies are done in Icinga, Each line are various check_xxx plugins  orchestraded through Icinga,
$ /usr/lib64/nagios/plugins/check_tcp -H 192.168.1.100 -p 143
TCP OK - 0.020 second response time on 192.168.1.100 port 143|time=0.019999s;;;0.000000;10.000000
$ /usr/lib64/nagios/plugins/check_tcp -H 192.168.1.102 -p 143     # takes time, no ICMP host unavailable returned appearantly
CRITICAL - Socket timeout
$ /usr/lib64/nagios/plugins/check_tcp -H 192.168.1.100 -p 144     # port unavailble ICMP returned.
connect to address 192.168.1.100 and port 144: Connection refused

Open in new window

The firewall closed... has several meanings...
- closed with DROP --> timeout
- closed with return some ICMP packet, the result of the ICMP packet
- closed with reset: connection has been reset.
mac_gAdmin - Middleware Servers

Author

Commented:
Excellent work @noci

Just to have clarification, I hope you got the above output for the below testcase,right  ?
confirm please


1)
source ---{   firewall         }   --------     {Target server, service port # 1001 }
             Rules Defined                         server-UP + service-UP

OUTPUT : TCP OK - 0.020 second response time on 192.168.1.100 port 143|time=0.019999s;;;0.000000;10.000000

2)
source ---{   firewall         }   --------     {Target server, service port # 1001 }
             Rules Defined                         server-UP + service-DOWN


OUTPUT : takes time, no ICMP host unavailable returned appearantly CRITICAL - Socket timeout

3)

source ---{   firewall         }   --------     {Target server, service port # 1001 }
             Rules*NOT*Defined                         server-UP + service-DOWN


OUTPUT : port unavailble ICMP returned. connect to address 192.168.1.100 and port 144: Connection refused

comment: but can  be any of the output as you mentioned in this case (3)
- closed with DROP --> timeout
- closed with return some ICMP packet, the result of the ICMP packet
- closed with reset: connection has been reset.
=============

Confirm, plz
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Testcase #1:
$ /usr/lib64/nagios/plugins/check_tcp -H 192.168.1.100 -p 143
TCP OK - 0.020 second response time on 192.168.1.100 port 143|time=0.019999s;;;0.000000;10.000000

Testcase #2 & #3  (and all cases where no ICMP Failure is returned).
$ /usr/lib64/nagios/plugins/check_tcp -H 192.168.1.102 -p 143     # takes time, no ICMP host unavailable returned appearantly
CRITICAL - Socket timeout


Testcase #3 IF configured to fail with ICMP.. Or Testcase #2:
$ /usr/lib64/nagios/plugins/check_tcp -H 192.168.1.100 -p 144     # port unavailble ICMP returned.
connect to address 192.168.1.100 and port 144: Connection refused

(Please note that I tested here using a nonused service port on that server).
mac_gAdmin - Middleware Servers

Author

Commented:
@noci, thanks ..good efforts
I have not idea about  ICMP, am developer ..

So, your 2 & 3 section little confusing to me.

a) can you please revisit my last update which elaborated test cases,  and update the expected output.
b) can we distinguish the cause of the failure using the output we got ?
nociSoftware Engineer
Distinguished Expert 2018

Commented:
ICMP is the messaging protocol that signals problems en network management info between nodes.
Some firewall admins Block the WHOLE protocol while some messages are really useful.

If a firewall DROP's packets (one way of configuring)  it looks the same as a server not responding: you will see a timeout after a while (~2 minutes).
If an ICMP message is sent back (either by the firewall, or by the end system) you will get a notification of failure, wich gives a reason why it failed and a positive acknowledgment that  aan attempt to connect is futil.

So in Both YOUR testcases 2 and 3 MAY happen on systems behind (mis?)configured firewall or  (mis?) configured system.
Admin - Middleware Servers
Commented:
I got  some understanding of the query

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial