I have practised in using iptables on CentOS 7 (It is a guest machine on Virtual Box). At first I disabled firewalld:
systemctl disable firewalld
systemctl stop firewalld
Then I installed iptables:
yum -y install iptables-services
systemctl enable iptables
systemctl start iptables
After all this I tried to open tcp-port on my local machine with nc -l 1025 command but command just hung up. I was looking all over the Internet and found out that I could flush iptables rules in this post The netcat command can't access an open port but after this I had no connection to the Internet at all. So I returned my CentOS7 in previous state when I had just installed iptables. Here is my iptables's rules:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Here is the verbose mode of nc -vl 1025:
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Listening on :::1025
Ncat: Listening on 0.0.0.0:1025
And the result of ss -lnt:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
Another verbose mode for example for port 2000 nc -vl 2000:
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Listening on :::2000
Ncat: Listening on 0.0.0.0:2000
the result of ss -lnt is the same:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
So what am I going to do to make my nc command works properly and I can open some tcp port on CentOS7?
netcatstarts and does nothing visible, and stays that way. Is that what happens? If it's so, doesn't port1025show in output ofss -lnt?sscommand. 'Hung up' means that after typingnc -l 1025and press ENTER nothing happened and I didn't saw another line as[root@localhost ~]#sswhilencis still running, right? If so, thats kind of weird. As far as I know, anyiptablesrules can't prevent you from listening. This looks more like SELinux thing to me - maybe trygetenforce, and it it's set to 'Enforcing', dosetenforce 0and check again (if you can afford turning disabling SELinux for a while).nc -l 1026, then I opened another one and typednc localhost 1026everything worked like if it was correct, but when I typedss -lntin third console I had what I wrote in my answer: no ports were listening on - 1026 for example.ncatlistens only once. After you connected to it with client, it's not listening for any other connection attempts Try withoutnc localhost 1026.