48

I'm trying to connect to port 25 with netcat from one virtual machine to another but It's telling me no route to host although i can ping. I do have my firewall default policy set to drop but I have an exception to accept traffic for port 25 on that specific subnet. I can connect from VM 3 TO VM 2 on port 25 with nc but not from VM 2 TO 3.

Here's a preview of my firewall rules for VM2

screenshot

Here's a preview of my firewall rules for VM 3

screenshot

When I show the listening services I have *:25 which means it's listening for all ipv4 ip addresses and :::25 for ipv6 addresses. I don't understand where the error is and why is not working both firewall rules accept traffic on port 25 so it's supposed to be connecting. I tried comparing the differences between both to see why I can connect from vm3 to vm2 but the configuration is all the same. Any suggestions on what could be the problem?

Update stopping the iptable service resolves the issue but I still need those rules to be present.

Pablo A
  • 2,307
  • 1
  • 22
  • 34
Katz
  • 1,021
  • 5
  • 19
  • 36
  • 7
    Please, avoid screen shots when possible. Instead, edit your question and copy-paste your terminal text. Thanks. – xhienne Mar 23 '17 at 23:34
  • Pasting the output as a text would be much better (browser search, copy paste, in the end it's text, why to post it as image)? – pevik Jul 24 '23 at 13:20

2 Answers2

50

Your no route to host while the machine is ping-able is the sign of a firewall that denies you access politely (i.e. with an ICMP message rather than just DROP-ping).

See your REJECT lines? They match the description (REJECT with ICMP xxx). The problem is that those seemingly (#) catch-all REJECT lines are in the middle of your rules, therefore the following rules won't be executed at all. (#) Difficult to say if those are actual catch-all lines, the output of iptables -nvL would be preferable.

Put those REJECT rules at the end and everything should work as expected.

Matt
  • 103
  • 4
xhienne
  • 17,075
  • 2
  • 52
  • 68
0

xhienne answer is absolutely correct, but even the reason might be the firewall, in case the issue happen with port 80/tcp often the reason this happens is due to the presence of a proxy server. Connection should through instead (direct connection if https (443/tcp)). Some programs use $http_proxy environment variable. On some other cases you can just:

http_proxy="http://nameOrIPOfProxy:proxyPort" command

For apt you should set something like

Acquire::http::Proxy "http://nameOrIPOfProxy:proxyPort";
Acquire::https::Proxy "false";

on /etc/apt/apt.conf.d/proxy.conf.

Pablo A
  • 2,307
  • 1
  • 22
  • 34