1

I have an Ubuntu 16.04 running on machine A. It has a docker container running inside of it, which exposes the port 8080 to the outside (this is where the server(Wildfly) that is running inside the docker container is listening).

I am able to access that machine on port 8080 on every other machine on the network except one (let's call it machine B). That one machine is also running Ubuntu 16.04, and when I ping machine A form B it replies. I turned off the firewall like this sudo systemctl ufw, and I also tried to flush all iptables rules, so now my sudo iptables -L returns this:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

So, it seems that my iptables is empty, firewall is off, but still that one machine cannot access the machine A on port 8080. I get: Connection refused I also tried to SSH from machine B to A on port 22 and that works. I don't know what else to try, and where to look

UPDATE: Also, the strange thing is that when I look at tcpdump on machine A (and filter traffic where the source ip is the ip of the machine B) and I see no traffic. Even when I ping machine A from B and it goes trough.

My tcpdump command looks like this: * sudo tcpdump -n "(src host ) and (dst port 8080 or icmp)" -i any*

When I try to filter tcpdump like this whit other machines that can connect to machineA:8080 I see all the traffic (icmp and other)

UPDATE2: I was finally able to capture some traffic with tcpdump. Here's the dump of machine B trying to connect to machine A on 8080: 

   listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
    12:18:24.744258 IP *<MACHINE_B_IP>*.50554 > *<MACHINE_A_IP>*.8080: Flags [SEW], seq 2052431582, win 29200, options [mss 1460,sackOK,TS val 1612935176 ecr 0,nop,wscale 7], length 0
    12:18:24.744710 IP *<MACHINE_A_IP>*.8080 > *<MACHINE_B_IP>*.50554: Flags [R.], seq 0, ack 2052431583, win 0, length 0

And, here's the working communication between machines A and C:

12:11:14.932934 IP *<MACHINE_C_IP>*.58177 > *<MACHINE_A_IP>*.8080: Flags [S], seq 1111998950, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
12:11:14.932994 IP *<MACHINE_A_IP>*.8080 > *<MACHINE_C_IP>*.58177: Flags [S.], seq 4068855234, ack 1111998951, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
12:11:14.942047 IP *<MACHINE_C_IP>*.58177 > *<MACHINE_A_IP>*.8080: Flags [.], ack 1, win 260, length 0

So, it seems like the ACK from B to A is missing. Does that mean that the problem is on machine B?

user3362334
  • 121
  • 4
  • 1
    a firewall that blocks outgoing connections on machine B? does machine B resolve to the correct IP address for machine A? – Gerald Schneider May 09 '19 at 11:53
  • firewall is also down on machine B. And machine B targets machine A directly by IP, and ping works, and SSH also works from B to A, but connections from B to A on 8080 are refused, but they work from any other host than B – user3362334 May 09 '19 at 11:58
  • On the machine with the listening service, run `ss -tnl` and post the output. – Michael Hampton May 09 '19 at 15:40

0 Answers0