11

How to check whether there is a route between two hosts for a particular port (e.g. 1433).

ohho
  • 1,005
  • 8
  • 19
  • 34
  • 5
    If there is a route for one port there is a route for every port. Routing happens on a network layer without ports. – Christopher Perrin Aug 07 '13 at 04:20
  • What if there is a firewall between the two hosts and filter ports? – ohho Aug 07 '13 at 04:24
  • 1
    @ohho: it doesn't matter. If there is a route - then it is there regardless of firewall settings. You probably need to rephrase your question. – zerkms Aug 07 '13 at 04:25
  • 1
    Firewalls operate at a different level. @ChristopherPerrin is correct, routing occurs at the IP level, not the port level. – EEAA Aug 07 '13 at 04:26
  • 1
    So is there any command line tool (CentOS) I can use to check the hosts are connectable via a particular port? – ohho Aug 07 '13 at 04:28
  • That's a different question. Please edit your question above to reflect the fact that you aren't interested in routing, but actually in how to determine if a port is open between two IP addresses. – EEAA Aug 07 '13 at 04:37
  • Of course I am also interested in route. I am not sure whether the connection failure is caused by a missing route, or a firewall rule. – ohho Aug 07 '13 at 04:47

4 Answers4

10

with 'ip route get ADDRESS' you can check the route configured in your system, that is, the first hop:

$ ip route get 192.168.10.10
192.168.10.10 via 192.168.10.1 dev eth0  src 192.168.10.11 
    cache

to check the port connectivity, a simple telnet should do:

$ telnet 192.168.10.10 1433
...

good luck!

mrc
  • 1,476
  • 11
  • 13
7

Fisrt, you must know that, the route action occurs at Network Layer, while port is defined at Transport Layer. So If there is a route exists between two host doesn't mean you can reach a port in a host.

Imagining two host is two house, port is gate of the house, route is road. You can build many roads between houses. But when you reach a house, if the house's gate is closed, you can not come in.

UPDATE

For you comment question, you could use some command like:

To check route exists:

  • route
  • traceroute

To check open port:

  • telnet
  • netcat

Read it manpage and try using.

cuonglm
  • 2,386
  • 2
  • 16
  • 20
2

As others have mentioned, having a route doesn't necessarily mean you have connectivity. If that's what you're looking to test, netcat offers the -z option to scan to see if a port is open. (You may also wish to specify a timeout with -w if you may not have a route; the default timeout is usually a couple of minutes.)

$ nc -z 127.0.0.1 22; echo $?
0
$ nc -z 127.0.0.1 11; echo $?
1

You can use the exit code to do something (or not) based on whether you have demonstrated connectivity to that address and port:

if nc -z 127.0.0.1 22; then
    echo "SSH server is available."
else
    echo "Cannot connect to SSH server."
fi

The -v option will make the output more verbose, and this can be used to scan a range of ports:

$ nc -vz 127.0.0.1 22-25
Connection to 127.0.0.1 22 port [tcp/ssh] succeeded!
nc: connect to 127.0.0.1 port 23 (tcp) failed: Connection refused
nc: connect to 127.0.0.1 port 24 (tcp) failed: Connection refused
Connection to 127.0.0.1 25 port [tcp/smtp] succeeded!
$ echo $?
0

As shown above, in multiport scan mode the exit code will be true (0) if any of the ports succeeded in connecting, or false otherwise.

There are several different versions of netcat; the one used in the examples above is the netcat-openbsd package from Debian 9, which is a rewrite of the "traditional" netcat (netcat-traditional package). For these particular parameters and exit codes the traditional version is substantially similar. If you are having problems with netcat command line parameters and exit codes, check which version you're using; ls -l /bin/nc* may give some insight.

cjs
  • 1,385
  • 1
  • 12
  • 23
  • I am on CentOS and '-z' is not a valid option, is there an equivalent – Vijay Kumar Sep 05 '18 at 19:05
  • You don't mention which CentOS and what version of netcat you're using, but as I mention there are a number of different versions. Have you checked the package list for your system to see if you can install a different version, such as the OpenBSD netcat that I used above? – cjs Sep 06 '18 at 02:12
  • 1
    Note, you should specify a timeout with the -G flag if the connection test is part of a condition in your scripts – A.J. Brown Nov 19 '18 at 06:47
  • @A.J.Brown That's a good suggestion, and I've updated the post based on it. However, the timeout option in both OpenBSD and traditional `netcat` is `-w`. (OpenBSD has no `-G` option and for traditional that sets the source routing pointer. Welcome to the world of differing netcats!) – cjs Nov 19 '18 at 07:39
1

I really like mtr http://www.bitwizard.nl/mtr/. There is also a windows version at http://winmtr.net/

Richard Salts
  • 755
  • 3
  • 17