[SOLVED] local host not accepting connections

lacrosse1991 · 04-11-2012, 04:15 PM

hello! i am currently experiencing a problem on my gateway machine where localhost does not seem to be accepting connections, i have been trying to get 2 programs to work, c-icap/havp, which at first i thought was because of some other unknown issue, but when i tried the programs on another one of my machines running debian as well, both worked perfectly fine, but on the gateway machine every attempt that a program makes to connect to localhost just ends up timing out :/ i have checked multiple things including the etc/hosts file and etc/network/interfaces, but both seem normal, the one thing that i think could possibly be the issue is iptables as the other debian server (the one that is working fine) does not have any rules set for iptables as the gateway machine take care of that. i have included the contents of the file that i use to restore iptables settings, just in case there is a mistake i have made. also forgot to note that localhost does respond to pings, it just refuses to make connections. any help would be greatly appreciated as i really have no clue what is causing this problem, thanks!

Code:

# Generated by iptables-save v1.4.8 on Wed Mar  7 21:28:31 2012
*nat
:PREROUTING ACCEPT [3119:515146]
:POSTROUTING ACCEPT [152:9120]
:OUTPUT ACCEPT [3441:241083]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.111:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22000 -j DNAT --to-destination 192.168.1.111:22000
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25598 -j DNAT --to-destination 192.168.1.111:25598
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25596 -j DNAT --to-destination 192.168.1.111:25596
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25566 -j DNAT --to-destination 192.168.1.101:25566
-A PREROUTING -i eth0 -p udp -m udp --dport 5008 -j DNAT --to-destination 192.168.1.198:5008
-A PREROUTING -i eth0 -p udp -m udp --dport 5009 -j DNAT --to-destination 192.168.1.198:5009
-A PREROUTING -i eth0 -p udp -m udp --dport 5010 -j DNAT --to-destination 192.168.1.198:5010
-A PREROUTING -i eth0 -p udp -m udp --dport 5011 -j DNAT --to-destination 192.168.1.198:5011
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5800 -j DNAT --to-destination 192.168.1.100:5800
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.1.100:5900
-A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:3128
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Mar  7 21:28:31 2012
# Generated by iptables-save v1.4.8 on Wed Mar  7 21:28:31 2012
*filter
:INPUT DROP [10935:3517801]
:FORWARD ACCEPT [28:1532]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.1.0/24 -i br0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25566 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25596 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25598 -j ACCEPT
-A INPUT -p udp -m udp --dport 5008 -j ACCEPT
-A INPUT -p udp -m udp --dport 5009 -j ACCEPT
-A INPUT -p udp -m udp --dport 5010 -j ACCEPT
-A INPUT -p udp -m udp --dport 5011 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5800 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A FORWARD -i eth0 -o Br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Wed Mar  7 21:28:31 2012

Kustom42 · 04-11-2012, 05:26 PM

Try adding an accept rule for input and output on the lo interface? I don't see any issues with your iptables config.

lacrosse1991 · 04-11-2012, 06:36 PM

hm unfortunately did not seem to do the trick

what else do you think could be causing something like this?

Kustom42 · 04-11-2012, 06:50 PM

You'll need to do a tcpdump and see what is happening with the interface at this point, unless another member can point out a rule in your list that is causing the problem that I am over-looking.

Code:

tcpdump -n -i lo

lacrosse1991 · 04-11-2012, 07:51 PM

hello, here is what i get when i try to communicate with processes that should be running on localhost, also i had forgotten to mention that when i try to startup the c-icap server (one of the two things that have problems, im thinking their both rooted in the same cause) the c-icap debug will complain about not being able to bind to its socket, whereas it binds just fine on the other box without changing any settings, i got these logs by using c-icap-client which pretty much queries the c-icap server for its status and such, the logs in tcpdump stopped showing once the c-icap-client timed out.

Code:

root@Kingston:~/c_icap-0.1.7# tcpdump -n -i lo
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
20:45:31.316751 IP 127.0.0.1.47886 > 127.0.0.1.1344: Flags [S], seq 3097052626, win 32792, options [mss 16396,sackOK,TS val 720128389 ecr 0,nop,wscale 6], length 0
20:45:34.313598 IP 127.0.0.1.47886 > 127.0.0.1.1344: Flags [S], seq 3097052626, win 32792, options [mss 16396,sackOK,TS val 720129139 ecr 0,nop,wscale 6], length 0
20:45:40.313619 IP 127.0.0.1.47886 > 127.0.0.1.1344: Flags [S], seq 3097052626, win 32792, options [mss 16396,sackOK,TS val 720130639 ecr 0,nop,wscale 6], length 0
^C
3 packets captured
6 packets received by filter
0 packets dropped by kernel

nikmit · 04-12-2012, 05:59 AM

If iptables is not dropping the packets, chances are the program is not listening on the loopback interface.

Do 'netstat -nlp | grep 1344' to confirm.

lacrosse1991 · 04-12-2012, 08:25 AM

hooray

actually it did turn out to be iptables, i had apparently just had the entries for allowing localhost messed up a little, i love iptables for its power and abilities, but still have a difficult time with it sometimes :/ thanks alot for your help though, really appreciate it