Ports Open but Not Accessible Ubuntu 14.04

Question

I've read so much and tinkered with so much that I don't even know where to start. Port 80 and 22 are open and accessible both inside and outside the local network and work fine. However, 443 and 32400 are open in iptables with services listening, but connections to the services on these ports from a computer on the local network or the internet time out. I can access the services from CLI on the server itself using sudo wget http://domain.com:32400 or sudo wget https://domain.com, and it works fine.

It looks like they are all making it through iptables as iptables shows packets and bytes for those rules, but none of the logs show anything for those requests.

Both of these services worked fine on my last server (ClearOS), so my ISP is not blocking them.

$ nmap redactedIP
Starting Nmap 6.40 ( http://nmap.org ) at 2015-01-13 15:56 CST
Nmap scan report for redactedIP.dhcp.krny.ne.charter.com (redactedIP)
Host is up (0.000029s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 2.44 seconds

$ nmap -p 32400 redactedIP
Starting Nmap 6.40 ( http://nmap.org ) at 2015-01-13 15:56 CST
Nmap scan report for redactedIP.dhcp.krny.ne.charter.com (redactedIP)
Host is up (0.000094s latency).
PORT      STATE SERVICE
32400/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.08 seconds

$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1253/mysqld
tcp        0      0 0.0.0.0:32400           0.0.0.0:*               LISTEN      844/Plex Media Serv
tcp        0      0 0.0.0.0:32401           0.0.0.0:*               LISTEN      844/Plex Media Serv
tcp        0      0 0.0.0.0:32469           0.0.0.0:*               LISTEN      1701/Plex DLNA     Serv
tcp        0      0 192.168.5.1:53          0.0.0.0:*               LISTEN      1228/named
tcp        0      0 redacted:53        0.0.0.0:*               LISTEN      1228/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      1228/named
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1186/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1562/exim4
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      1228/named
tcp        0      0 0.0.0.0:56222           0.0.0.0:*               LISTEN      938/Plex Plug-in [c
tcp        0      0 0.0.0.0:1696            0.0.0.0:*               LISTEN      1701/Plex DLNA Serv
tcp6       0      0 :::80                   :::*                    LISTEN      1742/apache2
tcp6       0      0 :::53                   :::*                    LISTEN      1228/named
tcp6       0      0 :::22                   :::*                    LISTEN      1186/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      1562/exim4
tcp6       0      0 ::1:953                 :::*                    LISTEN      1228/named
tcp6       0      0 :::443                  :::*                    LISTEN      1742/apache2
udp        0      0 0.0.0.0:37232           0.0.0.0:*                           763/avahi-daemon: r
udp        0      0 127.0.0.1:47592         0.0.0.0:*                           844/Plex Media Serv
udp        0      0 0.0.0.0:6645            0.0.0.0:*                           968/dhclient
udp        0      0 127.0.0.1:53757         0.0.0.0:*                           844/Plex Media Serv
udp        0      0 0.0.0.0:35487           0.0.0.0:*                           1189/dhcpd
udp        0      0 192.168.5.1:36008       0.0.0.0:*                           844/Plex Media Serv
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           763/avahi-daemon: r
udp        0      0 0.0.0.0:1550            0.0.0.0:*                           1701/Plex DLNA Serv
udp        0      0 0.0.0.0:42527           0.0.0.0:*                           1701/Plex DLNA Serv
udp        0      0 0.0.0.0:40481           0.0.0.0:*                           1701/Plex DLNA Serv
udp        0      0 redacted:60984     0.0.0.0:*                           844/Plex Media Serv
udp        0      0 0.0.0.0:32410           0.0.0.0:*                           844/Plex Media Serv
udp        0      0 0.0.0.0:32413           0.0.0.0:*                           844/Plex Media Serv
udp        0      0 0.0.0.0:32414           0.0.0.0:*                           844/Plex Media Serv
udp        0      0 redacted:57183     0.0.0.0:*                           844/Plex Media Serv
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           1701/Plex DLNA Serv
udp        0      0 0.0.0.0:4096            0.0.0.0:*                           1701/Plex DLNA Serv
udp        0      0 192.168.5.1:51220       0.0.0.0:*                           844/Plex Media Serv
udp        0      0 192.168.5.1:53          0.0.0.0:*                           1228/named
udp        0      0 redacted:53        0.0.0.0:*                           1228/named
udp        0      0 127.0.0.1:53            0.0.0.0:*                           1228/named
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1189/dhcpd
udp        0      0 0.0.0.0:68              0.0.0.0:*                           968/dhclient
udp6       0      0 :::60075                :::*                                763/avahi-daemon: r
udp6       0      0 :::5353                 :::*                                763/avahi-daemon: r
udp6       0      0 :::54946                :::*                                1189/dhcpd
udp6       0      0 :::53                   :::*                                1228/named
udp6       0      0 :::20752                :::*                                968/dhclient


$ sudo iptables -L -v
Chain INPUT (policy DROP 99 packets, 11532 bytes)
 pkts bytes target     prot opt in     out     source               destination
 6801  718K ACCEPT     all  --  lo     any     anywhere             anywhere
 7720  822K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
   80  4120 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
  264 13764 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
    6   304 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
   11   560 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:32400

Chain FORWARD (policy ACCEPT 199 packets, 31384 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 86 packets, 9450 bytes)
 pkts bytes target     prot opt in     out     source               destination

Ran tcpdump -i (interface) 'tcp port 32400' on the internal interface (eth1), the loopback (lo) and the external interface (p10p1) which connects directly to the modem and has no other router between it and the world wide interwebs and got the following summarized results:

• eth1:
  • From within network: multiple packets captured, received by filter with 0 dropped by kernel.
  • From outside network: nothing
• lo:
  • From within or outside network: nothing
• p10p1:
  • From within network: nothing
  • From outside network: multiple packets captured, received by filter with 0 dropped by kernel.

Answer 1

Ok folks, I knew this was going to be something simple, and I'm almost embarrassed to admit it, but for the sake of completion, here's what happened. I use iptables-persistent to save/reload iptables. When adding rules via command line, the rules are added to the "filter" table, but not to the "nat" table, so while the port(s) in question were open in "filter", they were not open in "nat". I added the rules to the "nat" table, restarted, and everything is working fine.

Thank you everyone for your help, sorry it was a ridiculously simple solution. Here is my "/etc/iptables/rules.v4" file now for anyone that wants to see it:

$ cat /etc/iptables/rules.v4
# Generated by iptables-save v1.4.21 on Sat Jan 10 14:34:25 2015
*filter
:INPUT DROP [438:49434]
:FORWARD ACCEPT [4727:2251391]
:OUTPUT ACCEPT [746:117598]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
COMMIT
# Completed on Sat Jan 10 14:34:25 2015
# Generated by iptables-save v1.4.21 on Sat Jan 10 14:34:25 2015
*nat
:PREROUTING ACCEPT [13673:1753542]
:INPUT DROP [193:33460]
:OUTPUT ACCEPT [942:175333]
:POSTROUTING ACCEPT [331:86274]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A POSTROUTING -o p10p1 -j MASQUERADE
COMMIT
# Completed on Sat Jan 10 14:34:25 2015
# Generated by iptables-save v1.4.21 on Sat Jan 10 14:34:25 2015
*mangle
:PREROUTING ACCEPT [114993:38355797]
:INPUT ACCEPT [27211:3683353]
:FORWARD ACCEPT [87622:34663068]
:OUTPUT ACCEPT [18739:2989889]
:POSTROUTING ACCEPT [112370:38117303]
COMMIT
# Completed on Sat Jan 10 14:34:25 2015

Answer 2

Packet trace (tcpdump, wireshark) and netcat troubleshooting from different hosts and interfaces(lo0, eth, wlan) is all I can think about. You will need to isolate the issue since it doesn't make sense yet.

Either it comes from the client, the server or the gateway. Hope it helps.