Fedora-36: PORT-FORWARDING to a HOST fails when requests originate from that HOST (works from everywhere else)

Ask Fedora
,
1

Hello Friends:

The following had no issues when running atop Fedora-33. It began after an upgrade to Fedora-36. Perhaps there was a networking change (I haven’t kept track lately).

I have two Linux computers running Fedora-36, as follows:

  • 192.168.0.16host01 (Open ports: 22, 443)
  • 192.168.0.31host02

On my ISP ROUTER, I PORT-FORWARD requests to port 22 & 443 to host01.

Here is my issue issue:

From within host02, there are no access issues:

user@host02$ nc -vz MY-ISP-WAN-IP 443
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connected / succeeded to MY-ISP-WAN-IP:443.
Ncat: 0 bytes sent, 0 bytes received in 0.04 seconds.

user@host02$ nc -vz MY-ISP-WAN-IP 22
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connected / succeeded to MY-ISP-WAN-IP:22.
Ncat: 0 bytes sent, 0 bytes received in 0.04 seconds.

But from within host01, itself the destination of the PORT-FORWARDS, it gets stuck:

user@host01$ nc -vz MY-ISP-WAN-IP 443
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: TIMEOUT.

user@host01$ nc -vz MY-ISP-WAN-IP 22
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: TIMEOUT.

The same succeeds when specifying it’s own name host01:

root@host01# nc -vz host01 443
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connected / succeeded to 192.168.0.16:443.
Ncat: 0 bytes sent, 0 bytes received in 0.03 seconds.

root@host01# nc -vz host01 22
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connected / succeeded to 192.168.0.16:22.
Ncat: 0 bytes sent, 0 bytes received in 0.03 seconds.

Additional information that may be helpful:

user@host01$ sudo ifconfig -a
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether aa:bb:cc:dd:ee:ff  txqueuelen 1000  (Ethernet)
        RX packets 261  bytes 22155 (21.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 84  bytes 10593 (10.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 18  memory 0xfb100000-fb120000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 8  bytes 648 (648.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 648 (648.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lxcbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.16  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 ****::****:***:****:****  prefixlen 64  scopeid 0x20<link>
        ether aa:bb:cc:dd:ee:ff  txqueuelen 1000  (Ethernet)
        RX packets 261  bytes 17457 (17.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 88  bytes 11397 (11.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

user@host01$ sudo brctl show
bridge name    bridge id        STP enabled    interfaces
lxcbr0        8000.aabbccddeeff    no        eth0

So PORT-FORWARD requests succeed in getting to the destination Host & Ports, except when the requests originate from that destination Host itself.

Again, on Fedora-33 this worked well. It may have to do with source and destination IPs and/or MACs being the same, but I don’t want to steer anyone’s thoughts necessarily in any direction. Just mentioning it.

Any ideas? Thank you!

2

Maybe try using tcpdump on host 1 and see what exactly is happening.
sudo tcpdump > file.txt
Don’t let that run very long since it may create a large file in a short time.

While it is running try the connection you are asking about and the dump should quickly give you the actual communications that are occurring.

Man tcpdump to see what that does and what options are available.

1 Like
3

Thank you Jeff. I used to know tcpdump and ethtool like the back of my hand (I mean the filters, etc, everything). But I forgot all of that. I might have to do that. And yes, you’re right… the files get large quickly. Thank you brother.