can't access a service to a remate hosts

Discussion in 'Linux Networking' started by xeon Mailinglist, Feb 23, 2014.

  1. I have this network. host1 <-> router1 <-> router2 <-> router3 <-> router4 <-> host2. I can ping from host1 to host2, but I can access a service thatis running in the port 50070. How can I find what is going on? I don't have access to the routers, only to the hosts.

    Both hosts run linux in terminal mode.
     
    xeon Mailinglist, Feb 23, 2014
    #1
    1. Advertisements

  2. xeon Mailinglist

    Ulf Volmer Guest

    You can test with tcptraceroute if any route blocks your ports:

    tcptracerouet host2 50070

    regards
    Ulf
     
    Ulf Volmer, Feb 23, 2014
    #2
    1. Advertisements

  3. I did tcptraceroute, and I get this output. It seems that it has connected,but when I access the service with a browser, I get Connection refused.

    Am I reading right? The output got show that I connected to the destination?

    HadoopWorkers-rci-0:~# tcptraceroute 10.103.0.20 50070
    traceroute to 10.103.0.20 (10.103.0.20), 30 hops max, 60 byte packets
    1 HadoopWorkers-fiu-0 (10.103.0.20) <rst,ack> 1.087 ms 1.016 ms 0.960 ms
     
    xeon Mailinglist, Feb 23, 2014
    #3
  4. xeon Mailinglist

    Tauno Voipio Guest

    The target host (10.103.0.20) refused the TCP connection.
    Are you sure that there is anything listening tp port 50070?
     
    Tauno Voipio, Feb 23, 2014
    #4
  5. Yes, i am. I accessed the service from the machine.
     
    xeon Mailinglist, Feb 23, 2014
    #5
  6. I just can't access the service from a remote hosts.
     
    xeon Mailinglist, Feb 23, 2014
    #6
  7. xeon Mailinglist

    Tauno Voipio Guest


    Are you sure that the accessed host is what you think it is?

    The 10.x.y.z are RFC1918 private addresses, which can mean
    different hosts in different local networks. If the routers
    obey the RFC's, they must not forward the 10 -series addresses
    if there is any hop in the public network.
     
    Tauno Voipio, Feb 23, 2014
    #7
  8. xeon Mailinglist

    Ulf Volmer Guest

    ^^^

    The server refuse your connection. Is the Server listening on the right (all)
    interfaces?
    Are there any firewall on the server?

    regards
    Ulf
     
    Ulf Volmer, Feb 23, 2014
    #8
  9. Ulf Volmer a écrit :
    No it's not. rst = RESET = connection refused.

    Not quite. It stopped a the first hop, not even reaching the finale
    destination (unless all routers along the path do not decrease the TTL,
    which would be against the IP standard).
    Nope. The first hop refused the connection.
     
    Pascal Hambourg, Feb 23, 2014
    #9
  10. Tauno Voipio a écrit :
    Wise question.
    Agreed, but then they should not reply with a TCP RST, should they ?
     
    Pascal Hambourg, Feb 23, 2014
    #10
  11. routers running firewall? Nothing on host 2 listening to port 50070?

    tcpdump on host 2 to see if packets coming through.
     
    William Unruh, Feb 23, 2014
    #11
  12. That is a different issue. The program listening to port 50070 is
    refusing the connection. Look at that program ( which you never told us
    about)
     
    William Unruh, Feb 23, 2014
    #12
  13. xeon Mailinglist

    Tauno Voipio Guest


    That's right, but it is prefectly correct to have a host
    with the targeted IP in the network he's attempting access
    from, so the SYN segment goes to a completely different
    host the OP is targeting.

    There is a clue in this direction in the trace he posted:
    the RST comes from the address he wants to connect to, but
    without the router hops he claims there are.

    The RST comes from an unprepared host or from a firewall
    which is configured to assassin TCP to unallowed ports.
     
    Tauno Voipio, Feb 23, 2014
    #13
  14. Tauno Voipio a écrit :
    Unlike ICMP errors, a TCP RST always appears to come from the target
    address, even when sent by an intermediate firewall. Otherwise the
    original sender would not accept it.
    Not from the expected destination host, anyway.
     
    Pascal Hambourg, Feb 23, 2014
    #14
  15. Try "lsof -p 50070" on the listening host. The listerer may be listening
    only on the localhost IP (or some other set of IPs not including the one
    to which you are attempting to connect).

    - Andrew
     
    Andrew Gideon, Feb 26, 2014
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.