how to check the connectivity to the destination server thru ONLY specific port

I am sysadmin..I want to know

I want to reach the server, to check the connectivity thru specific port.
This is just to varify whether the required firewall rule defined properly or not.
mac_gAdmin - Oracle Fusion Middleware suiteAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
First ping the server.  Do you get a response?

Now map some folder:  NET USE T: \\server\folder and authenticate.   Does this work through your firewall?
If not, what numerical system error do you get?
ste5anSenior DeveloperCommented:
telnet to that server and port.
Prabhin MPDevOps EngineerCommented:
do a  telnet to specific port,
if replies says open  > port opened
if replies refused > not opened.
u can work on the firewall rules after applying changes
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

mac_gAdmin - Oracle Fusion Middleware suiteAuthor Commented:
I know telnet options ..... .....but ..if the destination service down .. then telnet wont give more information, whether the issue with firewall or destination service. Both the case we get same results.


my focus is whether I can reach the server through specific port, to make sure network team done their job for firewall !

==
Prabhin MPDevOps EngineerCommented:
then you should use some related to service,

like for http service use curl, something like that for rest of the tcp / udp services.
mac_gAdmin - Oracle Fusion Middleware suiteAuthor Commented:
let me know commands/tool if you know. plz..
Prabhin MPDevOps EngineerCommented:
is it http serivice  runing  on the server side?
Prabhin MPDevOps EngineerCommented:
then  use curl http://host:port

this will help you
ste5anSenior DeveloperCommented:
Well, that's in the nature of IP. You can only tell whether it works, when it works.

btw,
my focus is whether I can reach the server through specific port [..]
is not correctly phrased.
Also what kind of fw are we talking about?
mac_gAdmin - Oracle Fusion Middleware suiteAuthor Commented:
i am telling the scenario where service at the destination server not working ...
Prabhin MPDevOps EngineerCommented:
then you should go for some monitoring tools which checks the service is running or not?

 telnet it checks port is opened or not . you might have look some service discovery tool
mac_gAdmin - Oracle Fusion Middleware suiteAuthor Commented:
scenario is ..
firewall rule is defined &  destination service is down.

in that case, how to make sure that firewall defined(or not), using tools/commands ?

please advice
Prabhin MPDevOps EngineerCommented:
if you want to see firewall rule is working, block the port in firewall and enable the serivce in the server so telnet from the outside server should block.

for service up/down use a monitoring tool like zabbix or nagios.
mac_gAdmin - Oracle Fusion Middleware suiteAuthor Commented:
i am sysadmin/DBA... not network admin.

i want to assess just from my side .. using command or any small tools.
Prabhin MPDevOps EngineerCommented:
I hope other experts will help you to solve this issue.
information which i knows already conveyed.
mac_gAdmin - Oracle Fusion Middleware suiteAuthor Commented:
Thanks for time so far ..
I hope u are clear with my query  ..
ste5anSenior DeveloperCommented:
in that case, how to make sure that firewall defined(or not), using tools/commands ?
Ask your network admins. Cause there is no standard tool set for this.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Netcat can help. The follow

nc -z -w 1 $ip $port >/dev/null 2>&1

Open in new window


Attempt to connect to $ip/$port, just connect + send no data, timeout after 1 second.

?$ == 0 means success.
nociSoftware EngineerCommented:
nagios plugins might be of help here.
depending on services they might provide some more info....

when connectingto the target the ICMP responce may help determining the problem.
Host unavailable, (ARP on it's gateway failed)
Port unavailable (The port is not opened, server is running)
etc. etc

See: https://exchange.nagios.org/directory/Plugins/Network-Protocols/*-TCP-and-UDP-(Generic)
mac_gAdmin - Oracle Fusion Middleware suiteAuthor Commented:
@NOCI, @David Favor

Are u people are using advised  tools ?

case 1) in the above command, firewall fine, & If the service is down for that port On server, doest this connect ?
case 2) firewall itself closed ?
==
Can you paste sample output in both the scenarios ?

===
mac_gAdmin - Oracle Fusion Middleware suiteAuthor Commented:
@NOCI, @David Favor,  



what will be output for below cases when we use  tool you people advised respective tool
===========================================================================

1)
source ---{   firewall         }   --------     {Target server, service port # 1001 }
             Rules Defined                         server-UP + service-UP

OUTPUT :

2)
source ---{   firewall         }   --------     {Target server, service port # 1001 }
             Rules Defined                         server-UP + service-DOWN


OUTPUT :

3)

source ---{   firewall         }   --------     {Target server, service port # 1001 }
             Rules*NOT*Defined                         server-UP + service-DOWN


OUTPUT :

======
nociSoftware EngineerCommented:
Yes i use Icinga  (it uses the nagio plugins) i monitor some ports on the network.
I have a cascaded check...
You can supply dependencies when using icinga/nagios.

Say A depends on B which depends on C which depends on D,
then if B fails  A is still checked and the checks for C & D are cancelled, because B fails any check beyond B would fail anyway.
So i have no examples of failure messages where if B fails to pass on traffic, what would happen on C or D.

From Icinga i verify ping to the firewall and some service on the firewall;
 If they succeed a ping check to my ISP is done;
 If they succeed a remote firewall ping, and then a packet through a tunnel (ping to inside the remote firewall), to verify a tunnel
Then a remote service is checked.
Those dependencies are done in Icinga, Each line are various check_xxx plugins  orchestraded through Icinga,
$ /usr/lib64/nagios/plugins/check_tcp -H 192.168.1.100 -p 143
TCP OK - 0.020 second response time on 192.168.1.100 port 143|time=0.019999s;;;0.000000;10.000000
$ /usr/lib64/nagios/plugins/check_tcp -H 192.168.1.102 -p 143     # takes time, no ICMP host unavailable returned appearantly
CRITICAL - Socket timeout
$ /usr/lib64/nagios/plugins/check_tcp -H 192.168.1.100 -p 144     # port unavailble ICMP returned.
connect to address 192.168.1.100 and port 144: Connection refused

Open in new window

The firewall closed... has several meanings...
- closed with DROP --> timeout
- closed with return some ICMP packet, the result of the ICMP packet
- closed with reset: connection has been reset.
mac_gAdmin - Oracle Fusion Middleware suiteAuthor Commented:
Excellent work @noci

Just to have clarification, I hope you got the above output for the below testcase,right  ?
confirm please


1)
source ---{   firewall         }   --------     {Target server, service port # 1001 }
             Rules Defined                         server-UP + service-UP

OUTPUT : TCP OK - 0.020 second response time on 192.168.1.100 port 143|time=0.019999s;;;0.000000;10.000000

2)
source ---{   firewall         }   --------     {Target server, service port # 1001 }
             Rules Defined                         server-UP + service-DOWN


OUTPUT : takes time, no ICMP host unavailable returned appearantly CRITICAL - Socket timeout

3)

source ---{   firewall         }   --------     {Target server, service port # 1001 }
             Rules*NOT*Defined                         server-UP + service-DOWN


OUTPUT : port unavailble ICMP returned. connect to address 192.168.1.100 and port 144: Connection refused

comment: but can  be any of the output as you mentioned in this case (3)
- closed with DROP --> timeout
- closed with return some ICMP packet, the result of the ICMP packet
- closed with reset: connection has been reset.
=============

Confirm, plz
nociSoftware EngineerCommented:
Testcase #1:
$ /usr/lib64/nagios/plugins/check_tcp -H 192.168.1.100 -p 143
TCP OK - 0.020 second response time on 192.168.1.100 port 143|time=0.019999s;;;0.000000;10.000000

Testcase #2 & #3  (and all cases where no ICMP Failure is returned).
$ /usr/lib64/nagios/plugins/check_tcp -H 192.168.1.102 -p 143     # takes time, no ICMP host unavailable returned appearantly
CRITICAL - Socket timeout


Testcase #3 IF configured to fail with ICMP.. Or Testcase #2:
$ /usr/lib64/nagios/plugins/check_tcp -H 192.168.1.100 -p 144     # port unavailble ICMP returned.
connect to address 192.168.1.100 and port 144: Connection refused

(Please note that I tested here using a nonused service port on that server).
mac_gAdmin - Oracle Fusion Middleware suiteAuthor Commented:
@noci, thanks ..good efforts
I have not idea about  ICMP, am developer ..

So, your 2 & 3 section little confusing to me.

a) can you please revisit my last update which elaborated test cases,  and update the expected output.
b) can we distinguish the cause of the failure using the output we got ?
nociSoftware EngineerCommented:
ICMP is the messaging protocol that signals problems en network management info between nodes.
Some firewall admins Block the WHOLE protocol while some messages are really useful.

If a firewall DROP's packets (one way of configuring)  it looks the same as a server not responding: you will see a timeout after a while (~2 minutes).
If an ICMP message is sent back (either by the firewall, or by the end system) you will get a notification of failure, wich gives a reason why it failed and a positive acknowledgment that  aan attempt to connect is futil.

So in Both YOUR testcases 2 and 3 MAY happen on systems behind (mis?)configured firewall or  (mis?) configured system.
mac_gAdmin - Oracle Fusion Middleware suiteAuthor Commented:
I got  some understanding of the query

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.