1

I have practised in using iptables on CentOS 7 (It is a guest machine on Virtual Box). At first I disabled firewalld:

systemctl disable firewalld
systemctl stop firewalld

Then I installed iptables:

yum -y install iptables-services
systemctl enable iptables
systemctl start iptables

After all this I tried to open tcp-port on my local machine with nc -l 1025 command but command just hung up. I was looking all over the Internet and found out that I could flush iptables rules in this post The netcat command can't access an open port but after this I had no connection to the Internet at all. So I returned my CentOS7 in previous state when I had just installed iptables. Here is my iptables's rules:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state    RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp    dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with  icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Here is the verbose mode of nc -vl 1025:

Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Listening on :::1025
Ncat: Listening on 0.0.0.0:1025

And the result of ss -lnt:

State      Recv-Q Send-Q        Local Address:Port          Peer    Address:Port
LISTEN     0      128                       *:22                       *:*
LISTEN     0      100               127.0.0.1:25                       *:*
LISTEN     0      128                      :::22                      :::*
LISTEN     0      100                     ::1:25                      :::*

Another verbose mode for example for port 2000 nc -vl 2000:

Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Listening on :::2000
Ncat: Listening on 0.0.0.0:2000

the result of ss -lnt is the same:

State      Recv-Q Send-Q        Local Address:Port          Peer  Address:Port
LISTEN     0      128                       *:22                       *:*
LISTEN     0      100               127.0.0.1:25                       *:*
LISTEN     0      128                      :::22                      :::*
LISTEN     0      100                     ::1:25                      :::*

So what am I going to do to make my nc command works properly and I can open some tcp port on CentOS7?

Improve this question
6
  • What do you mean by 'hang up'? By default netcat starts and does nothing visible, and stays that way. Is that what happens? If it's so, doesn't port 1025 show in output of ss -lnt? Commented Jan 14, 2016 at 12:43
  • @TNW, I edited my answer and added your ss command. 'Hung up' means that after typing nc -l 1025 and press ENTER nothing happened and I didn't saw another line as [root@localhost ~]# Commented Jan 14, 2016 at 14:59
  • Just to make sure, you're using ss while nc is still running, right? If so, thats kind of weird. As far as I know, any iptables rules can't prevent you from listening. This looks more like SELinux thing to me - maybe try getenforce, and it it's set to 'Enforcing', do setenforce 0 and check again (if you can afford turning disabling SELinux for a while). Commented Jan 14, 2016 at 15:13
  • Well, I opened one console and typed nc -l 1026, then I opened another one and typed nc localhost 1026 everything worked like if it was correct, but when I typed ss -lnt in third console I had what I wrote in my answer: no ports were listening on - 1026 for example. Commented Jan 14, 2016 at 15:32
  • 1
    That's because ncat listens only once. After you connected to it with client, it's not listening for any other connection attempts Try without nc localhost 1026. Commented Jan 14, 2016 at 15:50

1 Answer 1

Reset to default
2

Got solved in the comments - quick summary of the most important points:

  • ncat, and possibly other netcat impletmentations, listens for incoming connection only once, and stops doing so with the first attempt (unless there's a switch in program for that)

  • programs can start listening on a port regardless of what are the current iptables settings

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.