Trying to open port 36141:TCP for PCI Compliance test
I'm trying to have a site host on Red Hat 6.3 PCI compliant through myControlScan. The only failure I have is that port 36141:TCP is being blocked somehow/somewhere, and I do not know where or how to find out. It is blocked from other servers on the network as well as itself. # nc -zv 127.0.0.1 36141 nc: connect to 127.0.0.1 port 36141 (tcp) failed: Connection refused (same result when using nc -zv localhost 36141 as well as the website ip address) 36141:TCP should be open according to iptables. (iptable list shown below) # netstat -lnp | grep 36141 (shows nothing) traceroute gets to myControlScan (207.198.99.3) via default settings, port 80, port 80 TCP, and port 36141, BUT not 36141:TCP. Confused. # traceroute -p 36141 -P TCP 207.198.99.3 traceroute to 207.198.99.3 (207.198.99.3), 30 hops max, 60 byte packets 1 * * * 2 *^C # traceroute -p 36141 207.198.99.3 traceroute to 207.198.99.3 (207.198.99.3), 30 hops max, 60 byte packets 1 67.22.106.161 (67.22.106.161) 0.679 ms 0.734 ms 0.873 ms 2 66.11.145.82 (66.11.145.82) 1.965 ms 1.963 ms 1.936 ms 3 ae1-200.tor10.ip4.gtt.net (77.67.79.185) 1.890 ms 1.867 ms 1.839 ms 4 xe-7-0-1.dal33.ip4.gtt.net (89.149.180.246) 51.948 ms 51.940 ms 51.916 ms 5 peer1-gw.ip4.gtt.net (77.67.71.30) 38.730 ms 38.730 ms 38.701 ms iptable list below: ----------------- # iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:36141 DROP tcp -- 195.190.13.0/24 0.0.0.0/0 tcp DROP tcp -- 91.217.10.0/23 0.0.0.0/0 tcp DROP tcp -- 91.207.8.0/23 0.0.0.0/0 tcp DROP tcp -- 91.207.4.0/22 0.0.0.0/0 tcp DROP tcp -- 91.207.7.21 0.0.0.0/0 tcp ACCEPT all -- 172.16.100.1 0.0.0.0/0 ACCEPT all -- 172.16.101.102 0.0.0.0/0 ACCEPT all -- 172.22.25.53 0.0.0.0/0 ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 tcp dpt:111 ACCEPT tcp -- 10.200.139.34 0.0.0.0/0 tcp dpt:111 ACCEPT tcp -- 10.200.139.35 0.0.0.0/0 tcp dpt:111 ACCEPT tcp -- 172.16.1.164 0.0.0.0/0 tcp dpt:111 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:36141 Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:36141 ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 tcp dpt:111 ACCEPT tcp -- 10.200.139.34 0.0.0.0/0 tcp dpt:111 ACCEPT tcp -- 10.200.139.35 0.0.0.0/0 tcp dpt:111 ACCEPT tcp -- 172.16.1.164 0.0.0.0/0 tcp dpt:111 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 -------------------------------------------------------------------------- Any thoughts or ideas? Thanks, Tyhr
If a "netstat -nlp" shows nothing on that port, then it seems the issue is that nothing is actually listening on that port. Trying to figure out what might be blocking the port is asking the wrong question - the port may not be blocked at all. But it doesn't look like whatever service you think should be listening on that port is actually doing so. You need to figure out why the service is either not starting up, or not listening on the port you think it's supposed to be on. Check the logs for that service, and turn up the verbosity of its output if necessary (and possible). On 12/02/2015 3:37 PM, Tyhr Trubiak wrote:
I'm trying to have a site host on Red Hat 6.3 PCI compliant through myControlScan.
The only failure I have is that port 36141:TCP is being blocked somehow/somewhere, and I do not know where or how to find out. It is blocked from other servers on the network as well as itself.
# nc -zv 127.0.0.1 36141 nc: connect to 127.0.0.1 port 36141 (tcp) failed: Connection refused (same result when using nc -zv localhost 36141 as well as the website ip address)
36141:TCP should be open according to iptables. (iptable list shown below)
# netstat -lnp | grep 36141 (shows nothing)
traceroute gets to myControlScan (207.198.99.3) via default settings, port 80, port 80 TCP, and port 36141, BUT not 36141:TCP. Confused.
# traceroute -p 36141 -P TCP 207.198.99.3 traceroute to 207.198.99.3 (207.198.99.3), 30 hops max, 60 byte packets 1 * * * 2 *^C
# traceroute -p 36141 207.198.99.3 traceroute to 207.198.99.3 (207.198.99.3), 30 hops max, 60 byte packets 1 67.22.106.161 (67.22.106.161) 0.679 ms 0.734 ms 0.873 ms 2 66.11.145.82 (66.11.145.82) 1.965 ms 1.963 ms 1.936 ms 3 ae1-200.tor10.ip4.gtt.net <http://ae1-200.tor10.ip4.gtt.net> (77.67.79.185) 1.890 ms 1.867 ms 1.839 ms 4 xe-7-0-1.dal33.ip4.gtt.net <http://xe-7-0-1.dal33.ip4.gtt.net> (89.149.180.246) 51.948 ms 51.940 ms 51.916 ms 5 peer1-gw.ip4.gtt.net <http://peer1-gw.ip4.gtt.net> (77.67.71.30) 38.730 ms 38.730 ms 38.701 ms
iptable list below: ----------------- # iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:36141 DROP tcp -- 195.190.13.0/24 <http://195.190.13.0/24> 0.0.0.0/0 <http://0.0.0.0/0> tcp DROP tcp -- 91.217.10.0/23 <http://91.217.10.0/23> 0.0.0.0/0 <http://0.0.0.0/0> tcp DROP tcp -- 91.207.8.0/23 <http://91.207.8.0/23> 0.0.0.0/0 <http://0.0.0.0/0> tcp DROP tcp -- 91.207.4.0/22 <http://91.207.4.0/22> 0.0.0.0/0 <http://0.0.0.0/0> tcp DROP tcp -- 91.207.7.21 0.0.0.0/0 <http://0.0.0.0/0> tcp ACCEPT all -- 172.16.100.1 0.0.0.0/0 <http://0.0.0.0/0> ACCEPT all -- 172.16.101.102 0.0.0.0/0 <http://0.0.0.0/0> ACCEPT all -- 172.22.25.53 0.0.0.0/0 <http://0.0.0.0/0> ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:111 ACCEPT tcp -- 10.200.139.34 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:111 ACCEPT tcp -- 10.200.139.35 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:111 ACCEPT tcp -- 172.16.1.164 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:111 REJECT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:111 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:36141
Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:36141 ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:111 ACCEPT tcp -- 10.200.139.34 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:111 ACCEPT tcp -- 10.200.139.35 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:111 ACCEPT tcp -- 172.16.1.164 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:111 DROP tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:111 --------------------------------------------------------------------------
Any thoughts or ideas? Thanks, Tyhr
_______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
-- Gilles R. Detillieux E-mail: <grdetil@scrc.umanitoba.ca> Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/ Dept. of Physiology and Pathophysiology, Faculty of Health Sciences, Univ. of Manitoba Winnipeg, MB R3E 0J9 (Canada)
participants (2)
-
Gilles Detillieux -
Tyhr Trubiak