#StackBounty: #networking #server #iptables #firewall Can't connect to open secure port on Ubuntu

Bounty: 50

I opened the 8443 port on which I run Clickhouse server. I can connect to SSH on 22 port, I can also connect to 8443 via SSH tunnel, however I can’t connect normally to that host. I’m trying to connect from the Windows machine, if that is related anyhow. I even opened outbound port (pretty sure that it is redundant).

I tried to disable firewall and then I was able to connect. What can be wrong?

user@myhost:~/d/clickhouse$ sudo ufw status
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
9440/tcp                   ALLOW       Anywhere                  
8443/tcp                   ALLOW       Anywhere                  
8443                       ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
9440/tcp (v6)              ALLOW       Anywhere (v6)             
8443 (v6)                  ALLOW       Anywhere (v6)             
8443/tcp (v6)              ALLOW       Anywhere (v6)

user@myhost:~/d/clickhouse$ sudo lsof -iTCP -sTCP:LISTEN -P
COMMAND      PID            USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
systemd-r    841 systemd-resolve   13u  IPv4   26021      0t0  TCP localhost:53 (LISTEN)
vsftpd       901            root    3u  IPv6   26299      0t0  TCP *:21 (LISTEN)
sshd        1037            root    3u  IPv4   29181      0t0  TCP *:22 (LISTEN)
sshd        1037            root    4u  IPv6   29183      0t0  TCP *:22 (LISTEN)
docker-pr  86081            root    4u  IPv6  520074      0t0  TCP *:8088 (LISTEN)
docker-pr 287023            root    4u  IPv6 1831110      0t0  TCP *:8086 (LISTEN)
docker-pr 318522            root    4u  IPv6 2109586      0t0  TCP *:9440 (LISTEN)
docker-pr 318537            root    4u  IPv6 2110806      0t0  TCP *:8443 (LISTEN)
node      354955           user   18u  IPv4 2274703      0t0  TCP localhost:34575 (LISTEN)

user@myhost:~/d/clickhouse$ netstat -an | grep "LISTEN "
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:34575         0.0.0.0:*               LISTEN     
tcp6       0      0 :::21                   :::*                    LISTEN     
tcp6       0      0 :::8086                 :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 :::8088                 :::*                    LISTEN     
tcp6       0      0 :::8443                 :::*                    LISTEN     
tcp6       0      0 :::9440                 :::*                    LISTEN 

UPDATE:

on the server I ran sudo tcpdump -ni eth0 port 8443 and then on client machine I ran nc -zv 192.168.1.58 8443:

user@myhost:~$ sudo tcpdump -ni eth0 port 8443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:05:51.368952 IP 192.168.1.70.59364 > 192.168.1.58.8443: Flags [S], seq 2263747478, win 64240, options [mss 1460,sackOK,TS val 1434934937 ecr 0,nop,wscale 7], length 0
15:05:52.380268 IP 192.168.1.70.59364 > 192.168.1.58.8443: Flags [S], seq 2263747478, win 64240, options [mss 1460,sackOK,TS val 1434935948 ecr 0,nop,wscale 7], length 0
15:05:54.460280 IP 192.168.1.70.59364 > 192.168.1.58.8443: Flags [S], seq 2263747478, win 64240, options [mss 1460,sackOK,TS val 1434938028 ecr 0,nop,wscale 7], length 0
15:05:58.540705 IP 192.168.1.70.59364 > 192.168.1.58.8443: Flags [S], seq 2263747478, win 64240, options [mss 1460,sackOK,TS val 1434942109 ecr 0,nop,wscale 7], length 0
15:06:06.940802 IP 192.168.1.70.59364 > 192.168.1.58.8443: Flags [S], seq 2263747478, win 64240, options [mss 1460,sackOK,TS val 1434950509 ecr 0,nop,wscale 7], length 0
15:06:23.581056 IP 192.168.1.70.59364 > 192.168.1.58.8443: Flags [S], seq 2263747478, win 64240, options [mss 1460,sackOK,TS val 1434967149 ecr 0,nop,wscale 7], length 0
15:06:56.221198 IP 192.168.1.70.59364 > 192.168.1.58.8443: Flags [S], seq 2263747478, win 64240, options [mss 1460,sackOK,TS val 1434999788 ecr 0,nop,wscale 7], length 0

and nc failed with the message nc: connect to 192.168.1.58 port 8443 (tcp) failed: Connection timed out

The output of sudo ufw status verbose

user@myhost:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                  
9440/tcp                   ALLOW IN    Anywhere                  
8443/tcp                   ALLOW IN    Anywhere                  
8443                       ALLOW IN    Anywhere                  
22/tcp (v6)                ALLOW IN    Anywhere (v6)             
9440/tcp (v6)              ALLOW IN    Anywhere (v6)             
8443 (v6)                  ALLOW IN    Anywhere (v6)             
8443/tcp (v6)              ALLOW IN    Anywhere (v6)  

I can connect to service if firewall is disabled:

nc -zv 192.168.1.58 8443 
Connection to 192.168.1.58 8443 port [tcp/*] succeeded!

I can connect to service with IPv4 address if firewall is disabled:
enter image description here


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.