Unable to connect to certain TCP port numbers


#1

Hi,

I have been trying to connect to a particular TCP port (port 5009 in my case), to send some raw TCP data but I am unable to make a connection to the remote server from mangoh red board.
I am able to connect if the port number is changed to 8080, 80 and few others.
I have used both libcurl and well as the basic socket API’s to achieve this but had no success.
How do i connect and send TCP data to other port numbers? Are some port numbers blocked from the device?

Note: With Hercules tool I am able to connect and send data to the remote server.

Regards,
Devaiah


#2

Is this TCP connection over cellular data or WiFi? Perhaps your service provider is blocking outgoing connections to certain TCP port numbers.


#3

Hiya @devaiah,

You’ve probably hit the internal (default) firewall on the version of Yocto shipped for the WP modules.

iptables -L will give you a list of the firewall setup on the WP.

ciao, Dave


#4

I am trying to establish the TCP connection over cellular data.


#5

Hi Dave,

Below is how the table looks (Pardon me I am not very well versed with iptable thing)

root@swi-mdm9x28:~# iptables -L -v
Chain INPUT (policy DROP 41 packets, 3616 bytes)
pkts bytes target prot opt in out source destination
1 76 ACCEPT all – lo any anywhere anywhere
301 24603 ACCEPT all – any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp – any any anywhere anywhere udp spt:domain
0 0 ACCEPT icmp – any any anywhere anywhere icmp echo-reply
3 156 ACCEPT tcp – ecm0 any anywhere anywhere tcp dpt:ssh
1 60 ACCEPT icmp – ecm0 any anywhere anywhere icmp echo-request
6 2004 ACCEPT udp – ecm0 any anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
0 0 ACCEPT tcp – bridge0 any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT icmp – bridge0 any anywhere anywhere icmp echo-request
0 0 ACCEPT udp – bridge0 any anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 302 packets, 41790 bytes)
pkts bytes target prot opt in out source destination

Can you please help me figure out whether port 5009 is blocked or not? Sorry I quite new to this. Also I am using cellular data.

Regards,
Devaiah


#6

I don’t believe there is anything blocking that port locally. Maybe see if you can connect over that port using wifi.


#7

Hiya,

I agree with @dfrey - a first look at the rules you have provided should let packets on port 5009 OUT any interface, and then a response to an out packet should be INPUT accepted on any interface.

Chain OUTPUT (policy ACCEPT 302 packets, 41790 bytes)

should let any packets on any port on any interface out of the WP.

I would have thought the INPUT chain rule

301 24603 ACCEPT all – any any anywhere anywhere ctstate RELATED,ESTABLISHED

should have allowed responses to packets that had been sent from the device to be received correctly. (but not unsolicited input packets)

NOTE This is a somewhat dangerous rule to have … if something goes wrong with an application on the WP, you could be up for a lot of data transmission costs as it will let in traffic that is reponding to any existing outgoing packets.

The WP Yocto Linux uses the standard linux iptables firewall system. I suggest that you get on the web and look up some iptables primers so you get a handle on the way packets flow through the firewall, what is meant by interfaces and how rules are constructed.

Can I ask what you are trying to achieve? 5009 is an odd port - are you trying to do some sort of VoIP?

The reason I ask is that some protocols return info on different ports than those that were used to send the request on. If this is the case with your protocol, then the rules as shown above may not let the responses back in (as they are coming back on a different port to that they went out on - so the RELATED,ESTABLISHED part of the ACCEPT rule will not match the returning packets). If you are using such a protocol, then you may need to look at one of the kernel IPTABLES helper modules for the protocol (if one exists).

ciao, Dave


#8

Try:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

root@swi-mdm9x28:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


#9

Hiya,

That’s a very dangerous set of rules for iptables.

only use this for testing as you’ve just left your device wide open to the world.

ciao, Dave


#10

Thank you all for the support. Actually it started working after changing the SIM card.


#11

So, as @dfrey suggested in the 1st reply, probably down to your cellular service configuration?


#12

Did you switch to a different SIM on the same provider or a different provider?