Arch Linux

sheraff

Member

Registered: 2018-12-11

Posts: 40

**solved** Connection refused outside localhost

Got Arch running on my laptop for over a year now - very stable, adjustable and fast.
Don't remember the exact moment when my phone seized to establish samba connection with the laptop (didn't feel much pain having globally-available NAS storage).
Recently tested some ssh-tunnelling tasks and found that sshd, httpd are unavailable either, i.e. active, listening locally - but refuse to establish connection outside localhost.

Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 993 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
631/tcp  open  ipp
2020/tcp open  xinupageserver
3306/tcp open  mysql

ipatbles rules list empty, also tried to stop iptables service. NO firewall (ufw, firewalld) or SELinux installed.

Here's what I get from other machine (192.168.1.123 is my laptop's IP on LAN):

wget 192.168.1.123
--2019-09-25 12:28:18--  http://192.168.1.123/
Connecting to 192.168.1.123:80... failed: Connection refused.

ssh <username>@192.168.1.123 -p 2020
ssh: connect to host 192.168.1.123 port 2020: Connection refused

nmap 192.168.1.123

Starting Nmap 7.60 ( https://nmap.org ) at 2019-09-25 12:37 MSK
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0

ping 192.168.1.123
PING 192.168.1.123 (192.168.1.123) 56(84) bytes of data.
64 bytes from 192.168.1.123: icmp_seq=1 ttl=64 time=2.20 ms
64 bytes from 192.168.1.123: icmp_seq=2 ttl=64 time=1.32 ms
64 bytes from 192.168.1.123: icmp_seq=3 ttl=64 time=1.00 ms
64 bytes from 192.168.1.123: icmp_seq=4 ttl=64 time=1.15 ms

Anybody could help to figure out why the connection is blocked? Maybe some log file could tell? - I didn't find one...

Last edited by sheraff (2019-09-27 18:00:14)

Lone_Wolf

Administrator

From: Netherlands, Europe

Registered: 2005-10-04

Posts: 13,332

Re: **solved** Connection refused outside localhost

nmap 192.168.1.123

What does this output when run on the laptop ?

---

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

sheraff

Member

Registered: 2018-12-11

Posts: 40

Re: **solved** Connection refused outside localhost

nmap 192.168.1.123

What does this output when run on the laptop ?

[]$ nmap 192.168.1.123
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-25 23:31 MSK
Nmap scan report for aG500 (192.168.1.123)
Host is up (0.00013s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2020/tcp open  xinupageserver
3306/tcp open  mysql

Same less:

631/tcp  open  ipp

Swiggles

Member

Registered: 2014-08-02

Posts: 266

Re: **solved** Connection refused outside localhost

My first guess is that the services are bound to localhost. Could you please show the output of

ss -tulpn

fukawi2

Ex-Administratorino

From: .vic.au

Registered: 2007-09-28

Posts: 6,231

Website

Re: **solved** Connection refused outside localhost

As well as the command Swiggles suggested, post the output of `iptables-save` also.

---

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

sheraff

Member

Registered: 2018-12-11

Posts: 40

Re: **solved** Connection refused outside localhost

My first guess is that the services are bound to localhost. Could you please show the output of

ss -tulpn

Netid   State    Recv-Q   Send-Q             Local Address:Port      Peer Address:Port                                      
udp     UNCONN   0        0                        0.0.0.0:56734          0.0.0.0:*      users:(("dring",pid=1139,fd=8))    
udp     UNCONN   0        0                        0.0.0.0:8050           0.0.0.0:*      users:(("dring",pid=1139,fd=19))   
udp     UNCONN   0        0                        0.0.0.0:53             0.0.0.0:*                                         
udp     UNCONN   0        0           192.168.1.123%wlp3s0:68             0.0.0.0:*                                         
udp     UNCONN   0        0                           [::]:42056             [::]:*      users:(("dring",pid=1139,fd=9))    
udp     UNCONN   0        0                           [::]:8050              [::]:*      users:(("dring",pid=1139,fd=20))   
udp     UNCONN   0        0                           [::]:53                [::]:*                                         
tcp     LISTEN   0        50                       0.0.0.0:445            0.0.0.0:*                                         
tcp     LISTEN   0        50                       0.0.0.0:139            0.0.0.0:*                                         
tcp     LISTEN   0        32                       0.0.0.0:53             0.0.0.0:*                                         
tcp     LISTEN   0        5                      127.0.0.1:631            0.0.0.0:*                                         
tcp     LISTEN   0        50                          [::]:445               [::]:*                                         
tcp     LISTEN   0        80                             *:3306                 *:*                                         
tcp     LISTEN   0        50                          [::]:139               [::]:*                                         
tcp     LISTEN   0        128                            *:80                   *:*                                         
tcp     LISTEN   0        32                          [::]:53                [::]:*                                         
tcp     LISTEN   0        5                          [::1]:631               [::]:*

Looks like all services are host-irrespective but one (ipp on 631).

As well as the command Swiggles suggested, post the output of `iptables-save` also.

[]$ sudo iptables-save 
# Generated by iptables-save v1.8.3 on Thu Sep 26 06:35:54 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Sep 26 06:35:54 2019

fukawi2

Ex-Administratorino

From: .vic.au

Registered: 2007-09-28

Posts: 6,231

Website

Re: **solved** Connection refused outside localhost

Odd. What is the output of `ip a s`?

---

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

seth

Member

Registered: 2012-09-03

Posts: 61,170

Re: **solved** Connection refused outside localhost

The ports could easily be blocked by the routing device. Are other devices or eg. a live distro system affected as well?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

sheraff

Member

Registered: 2018-12-11

Posts: 40

Re: **solved** Connection refused outside localhost

Odd. What is the output of `ip a s`?

Odd - and a bit annoying.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp2s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 20:89:84:ef:f3:94 brd ff:ff:ff:ff:ff:ff
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 48:d2:24:77:af:9e brd ff:ff:ff:ff:ff:ff
    inet 192.168.43.146/24 brd 192.168.43.255 scope global dynamic noprefixroute wlp3s0
       valid_lft 3122sec preferred_lft 3122sec
    inet6 fe80::c4f6:ff50:833:a84a/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

192.168.43.146 - I'm currently at my phone's wireless AP, but it doesn't seem to make any difference. I use the same interface at home.
Network services respond only via loopback interface.

The only possible way to connect remotely to laptop is through ssh-tunnel to my NAS (Ubuntu), e.g.:
ssh -N -R {xx080,xx445,x2020}:localhost:{80,445,2020} <username>@<servername> -p <port>

sheraff

Member

Registered: 2018-12-11

Posts: 40

Re: **solved** Connection refused outside localhost

The ports could easily be blocked by the routing device. Are other devices or eg. a live distro system affected as well?

Ubuntu NAS works fine. This particular installation of Arch also used to - with router and with phone's AP.
Need to try live distro...

sheraff

Member

Registered: 2018-12-11

Posts: 40

Re: **solved** Connection refused outside localhost

Same with ethernet connection.

sheraff

Member

Registered: 2018-12-11

Posts: 40

Re: **solved** Connection refused outside localhost

The ports could easily be blocked by the routing device. Are other devices or eg. a live distro system affected as well?

Booted from ArchISO, installed ssh and apache - both serve well for my phone's apps.
Should I reinstall Arch at this point?

progandy

Member

Registered: 2012-05-17

Posts: 5,280

Re: **solved** Connection refused outside localhost

nftables is empty as well?
https://wiki.archlinux.org/index.php/Nftables

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Swiggles

Member

Registered: 2014-08-02

Posts: 266

Re: **solved** Connection refused outside localhost

The ports could easily be blocked by the routing device. Are other devices or eg. a live distro system affected as well?

Booted from ArchISO, installed ssh and apache - both serve well for my phone's apps.
Should I reinstall Arch at this point?

Everything is pointing to some enabled filter.

Could you try to completely flush your iptables by running these commands (I know, I don't see anything either, but for good measure)?

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Also please provide the output of

systemctl list-unit-files --state=enabled

sheraff

Member

Registered: 2018-12-11

Posts: 40

Re: **solved** Connection refused outside localhost

nftables is empty as well?
https://wiki.archlinux.org/index.php/Nftables

[]$ sudo nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
		ct state { established, related } accept
		ct state invalid drop
		iifname "lo" accept
		ip protocol icmp accept
		ip6 nexthdr ipv6-icmp accept
		tcp dport 22 accept
		reject
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		drop
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}

Now I remember, at one point (after reading the article) I decided to disable iptables and enable nftables.
Disabling nftables now solves the case.

Have I got it right, nftables is more modern and preferable option to iptables?
What rules blocked net services in my ruleset?

Last edited by sheraff (2019-09-26 19:31:10)

sheraff

Member

Registered: 2018-12-11

Posts: 40

Re: **solved** Connection refused outside localhost

Also please provide the output of

systemctl list-unit-files --state=enabled

UNIT FILE                                   STATE  
org.cups.cupsd.path                         enabled
autovt@.service                             enabled
dbus-org.freedesktop.NetworkManager.service enabled
dbus-org.freedesktop.nm-dispatcher.service  enabled
display-manager.service                     enabled
dnsmasq.service                             enabled
gdm.service                                 enabled
getty@.service                              enabled
httpd.service                               enabled
mariadb.service                             enabled
mysqld.service                              enabled
NetworkManager-dispatcher.service           enabled
NetworkManager-wait-online.service          enabled
NetworkManager.service                      enabled
nftables.service                            enabled
org.cups.cupsd.service                      enabled
samba.service                               enabled
smb.service                                 enabled
org.cups.cupsd.socket                       enabled
remote-fs.target                            enabled

20 unit files listed.

Swiggles

Member

Registered: 2014-08-02

Posts: 266

Re: **solved** Connection refused outside localhost

Thank you, the reason I asked was to identify other filter services, but you already figured out it is nftables you can also see in the output.

Please remember to mark the thread as solved.

sheraff

Member

Registered: 2018-12-11

Posts: 40

Re: **solved** Connection refused outside localhost

Thank you all.
Now I feel I need a closer view at firewall and filtering tools...

sheraff

Member

Registered: 2018-12-11

Posts: 40

Re: **solved** Connection refused outside localhost

Thank you, the reason I asked was to identify other filter services, but you already figured out it is nftables you can also see in the output.

Please remember to mark the thread as solved.

Thank you!

Struggling to figure out how to mark the thread...

Last edited by sheraff (2019-09-26 19:44:35)

Swiggles

Member

Registered: 2014-08-02

Posts: 266

Re: **solved** Connection refused outside localhost

Just edit your first post and add "[Solved]" in front of the title.

progandy

Member

Registered: 2012-05-17

Posts: 5,280

Re: **solved** Connection refused outside localhost

Have I got it right, nftables is more modern and preferable option to iptables?

Yes.

What rules blocked net services in my ruleset?

You have configured the "input" chain to reject all connections that are not explicitly allowed. For example, you allowed tcp connections on port 22.

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

sheraff

Member

Registered: 2018-12-11

Posts: 40

Re: **solved** Connection refused outside localhost

You have configured the "input" chain to reject all connections that are not explicitly allowed. For example, you allowed tcp connections on port 22.

Didn't dig in that direction yet ^)