Socket connection fail

GustavoCarlos · January 13, 2018, 11:11pm

Hello you all,

I am facing a problem to use socket connection on my legato distribution running on a FX30. I connected it over Ethernet interface eth0, it gets an IP address correctly and I configured the DNS server, so using the ping command I can reach all the addresses I tried.

The problem is that I can’t establish a socket connection to a server using port 80, I tried it using the telnet command and using a python script.

I check the iptable rules but I coudn’t figure out what is blocking the connection, it is like some rule is blocking the answer from the server.

Someone could help me to fix this problem?

Thanks in advance

Gustavo

jyijyi · January 15, 2018, 2:24am

Hi,

Did you capture the wireshark log by “tcpdump” command?
Maybe you can see some clue in it.

flu · January 15, 2018, 7:18am

Hi Gustavo,

It can be useful to log dropped traffic, in order to identify the one blocked by the firewall. This can be done by appending these lines to rules.v* files:
-N LOGGING
-A INPUT -j LOGGING
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
-A LOGGING -j DROP

You should also check if your Linux kernel configuration is including this:
CONFIG_ANDROID_PARANOID_NETWORK=y

Regards.

GustavoCarlos · January 16, 2018, 12:57am

Hi flu,

When I added these lines on the rules.v4 file the eth0 ethernet stops to work, I remove it and it works again. Have you faced this problem?

Thanks

Gustavo

GustavoCarlos · January 16, 2018, 1:15am

Hi,

I capture, the command I was using to test is the follow:

root@fx30:~# wget --spider google.com
Connecting to google.com (172.217.30.110:80)

The tcpdump result is this:

root@fx30:~# tcpdump -i eth0 host google.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:28:07.797220 IP 192.168.0.38.41021 > gru06s35-in-f14.1e100.net.http: Flags [S], seq 19810176, win 29200, options [mss 1460,sackOK,TS val 49928 ecr 0,nop,wscale 5], length 0
00:28:07.809184 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796496000 ecr 49928,nop,wscale 8], length 0
00:28:08.109291 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796496300 ecr 49928,nop,wscale 8], length 0
00:28:08.793192 IP 192.168.0.38.41021 > gru06s35-in-f14.1e100.net.http: Flags [S], seq 19810176, win 29200, options [mss 1460,sackOK,TS val 50028 ecr 0,nop,wscale 5], length 0
00:28:08.805156 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796496998 ecr 49928,nop,wscale 8], length 0
00:28:10.793253 IP 192.168.0.38.41021 > gru06s35-in-f14.1e100.net.http: Flags [S], seq 19810176, win 29200, options [mss 1460,sackOK,TS val 50228 ecr 0,nop,wscale 5], length 0
00:28:10.805278 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796498998 ecr 49928,nop,wscale 8], length 0
00:28:10.818493 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796499010 ecr 49928,nop,wscale 8], length 0
00:28:14.803263 IP 192.168.0.38.41021 > gru06s35-in-f14.1e100.net.http: Flags [S], seq 19810176, win 29200, options [mss 1460,sackOK,TS val 50629 ecr 0,nop,wscale 5], length 0
00:28:14.815197 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796503008 ecr 49928,nop,wscale 8], length 0
00:28:18.815624 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796507007 ecr 49928,nop,wscale 8], length 0
00:28:22.833295 IP 192.168.0.38.41021 > gru06s35-in-f14.1e100.net.http: Flags [S], seq 19810176, win 29200, options [mss 1460,sackOK,TS val 51432 ecr 0,nop,wscale 5], length 0
00:28:22.846572 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796511039 ecr 49928,nop,wscale 8], length 0
00:28:30.845626 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796519038 ecr 49928,nop,wscale 8], length 0
00:28:46.845076 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796535038 ecr 49928,nop,wscale 8], length 0

It looks like the data is getting out and getting in but the connection is not stablished. Have you any idea looking this data what is bloking the communication?

Thank you so much!

Gustavo

jyijyi · January 16, 2018, 1:29am

Hi,
Can you capture the wireshark log by the following and attached here?
“tcpdump -s0 -i eth0 -w /tmp/test.pcap”

GustavoCarlos · January 16, 2018, 1:46am

Hi,

Sure, it is attached!

Thank you

BR

Gustavo

test.pcap (47.6 KB)

jyijyi · January 16, 2018, 2:38am

test.pcap (16.8 KB)

This is the wireshark I captured for rmnet0:
tcpdump -s0 -i rmnet0 -w /tmp/test.pcap
wget --spider google.com

On packet 7, there is acknowledgement sent back to google server.
However in your wireshark, I don’t see such packet sent from module.

Is this problem only happen to eth0? how about rmnet0?

GustavoCarlos · January 16, 2018, 2:59am

The rmnet0 is not being used in my module, it is not listed in the ifconfig command.

My iptables.rules file content is like follow

# Generated by iptables-save v1.4.21 on Thu Nov 10 19:02:24 2016
*filter
:INPUT ACCEPT [80:17812]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [80:22530]
-A INPUT -i rmnet0 -p icmp -m icmp --icmp-type 0 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i rmnet0 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i rmnet0 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i rmnet0 -j DROP
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
**-A INPUT -i eth0 -j DROP **
COMMIT
# Completed on Thu Nov 10 19:02:24 2016

And the iptables -L command returns the follow

root@fx30:~# iptables -L
Chain INPUT (policy ACCEPT)
**target prot opt source destination **
ACCEPT icmp – anywhere anywhere icmp echo-reply state ESTABLISHED
ACCEPT tcp – anywhere anywhere tcp spt:domain state ESTABLISHED
ACCEPT udp – anywhere anywhere udp spt:domain state ESTABLISHED
**DROP all – anywhere anywhere **
**ACCEPT icmp – anywhere anywhere **
ACCEPT tcp – anywhere anywhere tcp spt:domain state ESTABLISHED
ACCEPT udp – anywhere anywhere udp spt:domain state ESTABLISHED
**DROP all – anywhere anywhere **

Chain FORWARD (policy ACCEPT)
**target prot opt source destination **

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Do you think it can be some rule blocking?

Thank you!

BR

Gustavo

jyijyi · January 16, 2018, 4:11am

Hi,

This is the information from my WP8:

root@swi-mdm9x15:/# cat /etc/iptables/rules.v4

Generated by iptables-save v1.4.21

*filter
:INPUT ACCEPT [65:13163]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15:3656]

The following line disables ssh over all interfaces other than usb0.

To enable ssh on a different interface, replace ‘usb0’ with other

interface’s name, e.g.:

-A INPUT ! -i eth0 -p tcp -m tcp --dport 22 -j DROP

-A INPUT ! -i usb0 -p tcp -m tcp --dport 22 -j DROP
COMMIT
root@swi-mdm9x15:/#

root@swi-mdm9x15:/# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp – anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

flu · January 16, 2018, 8:33am

Hi Gustavo,

This is due to this line;
-A LOGGING -j DROP

Some traffic over ethX is probably dropped.
It is recommended to look at LOGGING traces output to UART, to find which protocols/ports must be enabled on a network interface…

KR.

GustavoCarlos · January 18, 2018, 2:32am

Hello,

The problem was solved, the following line was missing in the iptables.rules file

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Thank you guys!

BR

Gustavo

TheGod · April 5, 2019, 10:53pm

It does not work for me. When I connect Ethernet cable and try to ping server I have got message “Network is unreachable”

cchenry · April 6, 2019, 3:17am

The FX30 iptables file is located at:
/etc/iptables.rules

Not

/etc/iptables/rules.v4

The rule mentioned above is purposely not added to the FX30 firewall in order to ship the device highly secure. It’s up to the user to open the firewall as needed.

BR,
Chris

Topic		Replies	Views
Creating a TCP/IP socket connection Legato Linux distribution (Yocto project)	2	1492	January 16, 2019
Using sockets as IPC with localhost Legato Application Framework	1	1610	December 3, 2018
Socket connection timeout (but ACK received?)	18	1567	August 10, 2018
TCP connection error , port 443 N: Connect failed errno=13 Legato Application Framework	9	1439	July 6, 2020
I can´t connect to a port that is listening Legato Application Framework	3	761	July 19, 2017

Socket connection fail

Generated by iptables-save v1.4.21

The following line disables ssh over all interfaces other than usb0.

To enable ssh on a different interface, replace ‘usb0’ with other

interface’s name, e.g.:

-A INPUT ! -i eth0 -p tcp -m tcp --dport 22 -j DROP

Related Topics