telnet: connect to address IPV6 Connection refused

Issues related to configuring your network
Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: telnet: connect to address IPV6 Connection refused

Post by Whoever » 2021/04/04 15:34:01

If these two hosts are VMs in a data center, it's possible that the VM provider redirects port 25 traffic to their own server. So, when nmap tells you that port 25 is open, it's really seeing the VM provider's smtp server and not your other VM.

Update: when I experienced an ISP messing with smtp traffic, they had set up a transparent proxy, which was used to rate-limit outgoing emails. However, without careful inspection of the packets, it really looked like outgoing smtp was unrestricted.

The tool to use here is tcptraceroute.

Compare the results of the following commands, when run from kamet:

Code: Select all

tcptraceroute makalu.akadia.com 25
and

Code: Select all

tcptraceroute makalu.akadia.com 22
Last edited by Whoever on 2021/04/04 17:45:15, edited 1 time in total.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: telnet: connect to address IPV6 Connection refused

Post by jlehtone » 2021/04/04 15:54:44

zahn-martin wrote:
2021/04/04 12:24:45
On kamet:

telnet makalu.akadia.com 53
Trying 2a02:121e:58e2::1...
Connected to makalu.akadia.com.
Escape character is '^]'.
Connection closed by foreign host.

Port 53 successful

On makalu:

root@makalu:> tcpdump -i enp0s31f6 -vv dst makalu.akadia.com -n -nn -l and port 53
tcpdump: listening on enp0s31f6, link-type EN10MB (Ethernet), capture size 262144 bytes

No output
You clearly connect kamet to something. You should see that traffic with tcpdump. You are too strict with tcpdump's filters (or makalu.akadia.com is not your makalu).

zahn-martin
Posts: 35
Joined: 2020/05/05 19:44:15

Re: telnet: connect to address IPV6 Connection refused

Post by zahn-martin » 2021/04/04 16:29:57

on kamet

root@kamet:/var/log> ip -6 ro

2a02:121e:58e2:1::/64 dev eth0 proto kernel metric 256 expires 4792sec mtu 1500
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500
default via fe80::8e59:c3ff:fed1:398b dev eth0 proto kernel metric 1024 expires 1795sec mtu 1500 hoplimit 64

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: telnet: connect to address IPV6 Connection refused

Post by jlehtone » 2021/04/04 20:17:41

How about:

Code: Select all

ip -6 ro get 2a02:121e:58e2::1
The 2a02:121e:58e2:1::/64 is link-local subnet. However, isn't
2a02:121e:58e2::1 same as 2a02:121e:58e2:0::1?
Then makalu's address is in different subnet 2a02:121e:58e2:0::/64,
and kamet sends via router (fe80::8e59:c3ff:fed1:398b).

zahn-martin
Posts: 35
Joined: 2020/05/05 19:44:15

Re: telnet: connect to address IPV6 Connection refused

Post by zahn-martin » 2021/04/05 06:40:56

root@kamet:/var/log> ip -6 ro get 2a02:121e:58e2::1

2a02:121e:58e2::1 via fe80::8e59:c3ff:fed1:398b dev eth0 proto kernel src 2a02:121e:58e2:1:21d:92ff:feb4:7bd4 metric 1024 expires 1796sec mtu 1500 hoplimit 64

zahn-martin
Posts: 35
Joined: 2020/05/05 19:44:15

Re: telnet: connect to address IPV6 Connection refused

Post by zahn-martin » 2021/04/05 06:55:34

root@kamet:~> tcptraceroute makalu.akadia.com 25

traceroute to makalu.akadia.com (2a02:121e:58e2::1), 30 hops max, 80 byte packets
1 2a02:121e:58e2::1 (2a02:121e:58e2::1) <rst,ack> 1.551 ms 1.779 ms 1.976 ms

root@kamet:~> tcptraceroute makalu.akadia.com 22

traceroute to makalu.akadia.com (2a02:121e:58e2::1), 30 hops max, 80 byte packets
1 2a02:121e:58e2::1 (2a02:121e:58e2::1) <syn,ack> 0.620 ms 0.746 ms 0.977 ms

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: telnet: connect to address IPV6 Connection refused

Post by jlehtone » 2021/04/05 13:28:25

zahn-martin wrote:
2021/04/05 06:40:56
root@kamet:/var/log> ip -6 ro get 2a02:121e:58e2::1

2a02:121e:58e2::1 via fe80::8e59:c3ff:fed1:398b dev eth0 proto kernel src 2a02:121e:58e2:1:21d:92ff:feb4:7bd4 metric 1024 expires 1796sec mtu 1500 hoplimit 64
I think that this quite clearly shows that machines
makalu (2a02:121e:58e2::1) and kamut (2a02:121e:58e2:1:*:7bd4)
are not "side by side". They are in two separate subnets.

Traffic from kamut to makalu goes first to router (fe80::*:398b).
The router probably has a firewall too.

Are the machines supposed to be in the same subnet? If yes, then at least one of them is misconfigured.
Is the router(s) properly configured to pass traffic between the two subnets?

Is there anything that proofs that when you "successfully" telnet from kamut to makalu, that you actually have connection to makalu and not some other machine?

zahn-martin
Posts: 35
Joined: 2020/05/05 19:44:15

Re: telnet: connect to address IPV6 Connection refused

Post by zahn-martin » 2021/04/05 14:09:27

Thank you for your valuable reply.

Please note:

root@kamet:/var/log> nmap -6 makalu.akadia.com

Starting Nmap 5.51 ( http://nmap.org ) at 2021-04-05 16:05 MEST
Nmap scan report for makalu.akadia.com (2a02:121e:58e2::1)
Host is up (0.013s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
5060/tcp open sip

telnet to port 22,53,5060 is however working, to port 25 not (I do not understand this)

root@kamet:/var/log> telnet makalu.akadia.com 53
Trying 2a02:121e:58e2::1...
Connected to makalu.akadia.com.
Escape character is '^]'.
^CConnection closed by foreign host.

root@kamet:/var/log> telnet makalu.akadia.com 25
Trying 2a02:121e:58e2::1...
telnet: connect to address 2a02:121e:58e2::1: Connection refused

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: telnet: connect to address IPV6 Connection refused

Post by jlehtone » 2021/04/05 17:16:39

That shows nothing new and tells very little.

You did not answer whether the current network configuration is intentional or a mistake.

Your previous claim that there is no firewall between the machines is has no proof, because traffic uses a gateway.

Post Reply