telnet: connect to address IPV6 Connection refused

Issues related to configuring your network
zahn-martin
Posts: 35
Joined: 2020/05/05 19:44:15

telnet: connect to address IPV6 Connection refused

Post by zahn-martin » 2021/04/02 10:55:25

I have a server and a client both on centos 7.8.

Server: makalu.akadia.com with Postfix and IPv6 Adress: 2a02:121e:58e2::1
Client: kamet.akadia.com

If i telnet on the server to makalu.akadia.com everything is OK.

root@makalu: telnet makalu.akadia.com 25

Trying 2a02:121e:58e2::1...
Connected to makalu.akadia.com.
Escape character is '^]'.
220 makalu.akadia.com ESMTP Postfix

nmap show open ports:

root@makalu:/var/log> nmap -6 makalu.akadia.com

Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-02 12:44 MEST
Nmap scan report for makalu.akadia.com (2a02:121e:58e2::1)
Host is up (0.000019s latency).
rDNS record for 2a02:121e:58e2::1: chogolisa
Not shown: 995 closed ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
143/tcp open imap
587/tcp open submission
993/tcp open imaps

Nmap done: 1 IP address (1 host up) scanned in 1.72 seconds

Everything is OK.

Now the same thing from the client:

root@kamet:/etc> telnet makalu.akadia.com 25

Trying 2a02:121e:58e2::1...
telnet: connect to address 2a02:121e:58e2::1: Connection refused

not OK.

nmap shows port 25 as closed

root@kamet:~> nmap -6 -p 25 makalu.akadia.com

Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-02 12:48 MEST
Nmap scan report for makalu.akadia.com (2a02:121e:58e2::1)
Host is up (0.00076s latency).
PORT STATE SERVICE
25/tcp closed smtp
MAC Address: 8C:59:C3:D1:39:8A (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

With an closed port 25 it is of course immpossible to connect.

I googled many many articles about this and I found no solution.

So the question is: Why port 25 is on Server open (as it should be) and on the client closed (fully ununderstand).

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: telnet: connect to address IPV6 Connection refused

Post by jlehtone » 2021/04/02 11:52:26

zahn-martin wrote:
2021/04/02 10:55:25
I have a server and a client both on centos 7.8.
I hope that you mean: "I have installed CentOS 7.8 and applied yum update regularly, so in practice I have up to date (7.9)"
because the other meaning: "I still have old 7.8 packages even though they have many known security holes"
is not sane nor safe. Please, update.

Are you using 'telnet' just to probe ports? I have not used/had it for years. Ancient, deprecated, insecure.

A thing with firewall is that "Who is asking?" can make a difference.

The default in CentOS 7 is to configure firewall with FirewallD.
If you use it, then the first question is:

Code: Select all

$ sudo firewall-cmd --get-active-zones
For each active zone-name one can:

Code: Select all

$ sudo firewall-cmd --zone=zone-name --list-all
However, whether FirewallD is used or not, the actual firewall rules are in the netfilter of kernel.
They can be shown in iptables syntax:

Code: Select all

$ sudo iptables -S
$ sudo iptables -t nat -S
$ sudo iptables -t mangle -S
If you trace the rules, then you should notice that when 'malaku' connects 'malaku' the traffic is via 'loopback' interface that accepts everything. All is "open".
External connection attempts are handled by rules of some "zone" and they most likely reject. Show "closed".

zahn-martin
Posts: 35
Joined: 2020/05/05 19:44:15

Re: telnet: connect to address IPV6 Connection refused

Post by zahn-martin » 2021/04/02 12:54:42

Actually there is no firewall between the two hosts - this is a testing environment, thats why i use telnet - just for testing IPV6

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: telnet: connect to address IPV6 Connection refused

Post by jlehtone » 2021/04/02 13:51:00

The 'malaku' has nothing in iptables -S, etc output?

There is still the difference that 'malaku' and 'kamet' might resolve name "malaku" to address or route differently, because it is localhost for one of them.

Who does listen to the port? On which interfaces?

Code: Select all

[malaku]$ sudo ss -tulpn | cat

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: telnet: connect to address IPV6 Connection refused

Post by TrevorH » 2021/04/02 13:58:15

Since this is ipv6, you need to use ip6tables not iptables to see the relevant rules.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

zahn-martin
Posts: 35
Joined: 2020/05/05 19:44:15

Re: telnet: connect to address IPV6 Connection refused

Post by zahn-martin » 2021/04/02 14:05:45

iptables -S on makalu - no firewall for testing!

The ultimativel question is why nmap shows different things on the server and on the client.

On makalu (IPV6 Server):

nmap -6 -p 25 makalu.akadia.com

Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-02 16:01 MEST
Nmap scan report for makalu.akadia.com (2a02:121e:58e2::1)
Host is up (0.000043s latency).
rDNS record for 2a02:121e:58e2::1: chogolisa
PORT STATE SERVICE
25/tcp open smtp <========================================= !!!!!!

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds

On kamet (IPV6 client)

nmap -6 -p 25 makalu.akadia.com

Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-02 16:00 MEST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ND Ping Scan
ND Ping Scan Timing: About 100.00% done; ETC: 16:00 (0:00:00 remaining)
Nmap scan report for makalu.akadia.com (2a02:121e:58e2::1)
Host is up (0.00083s latency).
PORT STATE SERVICE
25/tcp closed smtp <============================================= !!!!
MAC Address: 8C:59:C3:D1:39:8A (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

If kamet also uses: 25/tcp open smtp then everything is ok and telnet works, the problem is only the closed state in nmap.

Again: NO firewall between the two hosts, both machine are IPV6 enabled.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: telnet: connect to address IPV6 Connection refused

Post by TrevorH » 2021/04/02 14:36:11

If you run nmap on the server against its own external ip address then the kernel knows it is local and bypasses the firewall rules.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

zahn-martin
Posts: 35
Joined: 2020/05/05 19:44:15

Re: telnet: connect to address IPV6 Connection refused

Post by zahn-martin » 2021/04/02 15:46:47

I do not understand - I use no firewall.

iptables -L -n is empty on the server.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: telnet: connect to address IPV6 Connection refused

Post by TrevorH » 2021/04/02 16:17:50

Again, iptables is for ipv4 and only shows you rules for ipv4. You need to use ip6tables tp see ipv6 rules.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

zahn-martin
Posts: 35
Joined: 2020/05/05 19:44:15

Re: telnet: connect to address IPV6 Connection refused

Post by zahn-martin » 2021/04/02 16:41:28

Thank you Trevor for your explanation. Here is the output of ip6tables:

root@makalu:> ip6tables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I think no firewall rules, so I do not understand:

root@kamet:/etc> nmap -6 -p 25 makalu.akadia.com

Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-02 18:38 MEST
Nmap scan report for makalu.akadia.com (2a02:121e:58e2::1)
Host is up (0.00074s latency).
PORT STATE SERVICE
25/tcp closed smtp <========================================== !!!
MAC Address: 8C:59:C3:D1:39:8A (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

Post Reply