nmap showing different results between hosts

Question

I am trying to access one of my host VMs using a browser on a specific port (8200 - duplicati) but it is not working. I have tried using nmap from a remote host (192.168.0.10) to see what ports are open and I get the following output:

# sudo nmap 192.168.0.123
...
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap
443/tcp open  https
587/tcp open  submission
993/tcp open  imaps
995/tcp open  pop3s

If I execute the same command on the host in question (192.168.0.123), I get the following output:

$sudo nmap 192.168.0.123
...
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
111/tcp  open  rpcbind
143/tcp  open  imap
443/tcp  open  https
587/tcp  open  submission
993/tcp  open  imaps
995/tcp  open  pop3s
8200/tcp open  trivnet1

which shows port 8200 is open. I am not running a firewall on the host. I have duplicati running on another VM that I am able to access via a web browser using port 8200, and if I do the same thing and run nmap remotely and locally, it shows port 8200 open in both cases.

If I run netstat -lntu I see the following entry on both hosts:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:8200            0.0.0.0:*               LISTEN
...

I'm not sure what to look at or try next, so any suggestions would be appreciated.

`tcpdump -i any tcp port 8200` on both server and client side, then try to connect. Can you see outgoing SYN packet on client? Can you see it on server side? Is server responding? — dimich, Jul 20 '22 at 03:20
I tried `tcpdump -i any tcp port 8200` and saw the following on the server and client (timestamp was different of course): `17:38:48.539430 IP 192.168.0.10.65076 > 192.168.0.123.trivnet1: Flags [S], seq 2346701902, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1365869789 ecr 0,sackOK,eol], length 0` — eh2zed, Jul 20 '22 at 21:49
So SYN packets can reach server but no ACK or RST answered. Double check iptables/nftables rules on server including nat and mangle tables, also routing table. — dimich, Jul 20 '22 at 22:19

score 0 · Answer 1 · answered Jul 21 '22 at 22:42

I doubled checked for any firewall rules as suggested and learned that I actually have nftables installed and running. I had already checked for iptables and UFW but neither were in place. As you can easily tell based on the ports open, this is a mail server. It is running on Ubuntu 20.04 and was setup using iRedMail which I learned uses nftables instead of iptables on Ubuntu.

There are two nftables in place inet filter and inet f2b-table and I was able to clearly see that port 8200 was not in the list of allowed ports. I was able to easily add port 8200 to the inet filter rules in the /etc/nftables.conf file, but have not figured out how to enable port 8200 in the fail2ban nftables rule set.

I will consider my original question solved and raise a new one specific to the fail2ban nftables rule set.

nmap showing different results between hosts

1 Answers1