Ubuntu: Pre-Validate Network ACL and Firewall Connectivity with Netcat

ubuntuAlthough virtualization has pushed a self-service culture for infrastructure, it is still common in production environments to need your  Network Operations team to open the required ports necessary for any new application deployment.

So, while you may be able to create the base virtualized host, you can’t go much further without the network connectivity.  And there is nothing worse than finding out half way through your full stack deployment that the reason you keep hitting errors is because a stray port was not opened.

I would suggest pre-validating all the TCP and UDP ports you expect open.  This can be done pretty simply by using netcat on both sides of the communication.

Note that the netcat-openbsd package found on Ubuntu (/bin/nc), intentionally does not have -c or -e options for security purposes.

Validating TCP

Setup a simple TCP server on the server listening on port 17123

root@myserver# nc -vl 17123
Listening on [0.0.0.0] (family 0, port 17123)

Create a TCP client that attempts to connect to the server:17123

root@myclient# nc -vnz myserver 17123
Connection to myserver 17123 port [tcp/*] succeeded!

You will notice that this TCP server will only take one request, and then quit.  If you want a server that accept multiple client connections, use a command such as below from bash:

root@myserver# while true; do { nc -vl 17123; } done

If you have issues with this basic connectivity, either disable the firewall completely as a test or selectively enable the server port:

root@myserver# ufw allow 17123/tcp

Validating UDP

Setup a simple UDP server on the server listening on port 17123

root@myserver# nc -vul 17123
Listening on [0.0.0.0] (family 0, port 17123)

Create a UDP client that attempts to connect to the server:17123

root@myclient# nc -vnuz 192.168.2.31 17123
Connection to myserver 17123 port [udp/*] succeeded!

If you have issues with this basic connectivity, either disable the firewall completely as a test or selectively enable the server port:

root@myserver# ufw allow 17123/udp

Note that this UDP server will respond to only a single request, and then has to be killed with CTRL-C.  The UDP server does not stop, but also does not respond to any further client requests.  If you want to auto-respond to multiple UDP request you will need to use a utility like socat.

Scan Ports

To scan across a range of UDP ports:

nc -vnzu myserver 17120-17130

To scan across a range of TCP ports:

nc -vnz myserver 17120-17130

 

REFERENCES

https://www.digitalocean.com/community/tutorials/how-to-use-netcat-to-establish-and-test-tcp-and-udp-connections-on-a-vps

https://gist.github.com/benhosmer/2429640

http://stackoverflow.com/questions/16640054/minimal-web-server-using-netcat

http://superuser.com/questions/331582/netcat-socat-behavior-with-piping-and-udp

https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server