Running an up-to-date installation of Kubuntu 21.10.

If I run any network service on the machine, I'm unable to reach it from anywhere else on my network. The error is always "Host unreachable". A tcpdump scan reveals the SYN packet does reach the host, but an ICMP "admin-prohibited" packet is immediately sent back. The packet never even reaches iptables (verified by adding a rule that would match a connection, and it's counter never increases)

nmap is also unable to detect the port as open, however its scan does show up in the counter. nmap interprets the port as filtered because the prohibited packet is ICMP; no response to the SYN packet is sent.

Here is the tcpdump output (scanner is 192.168.1.3, host with services is 192.168.1.183), on the host machine with a service actively listening on port 8000, that appears when another machine tries to connect:

Here is what happens when nmap scans:

iptables is completely clear, ACCEPT policy on all default chains, no rules whatsoever on filter. nat and mangle.

Services can be accessed locally using localhost or the machine's IP on the machine itself. The only issue is trying to access from the network.

I do have Docker on the machine, but for trying to figure this out, I disabled Docker and removed all of its iptables rules and chains. Docker services are able to be reached from the network.

The machine also has VirtualBox installed, if that's relevant, but at the time of testing no VirtualBox machines were running.

Also of important note is that the SSH server running on the host can be reached successfully - this is the only service that is reachable, regardless of what else is running:

Is there perhaps a kernel setting somewhere that is causing this to occur?

Thanks for any help!

Hi fmillion,

What does your routing table show? I would assume your machines are connected through a simple switch - since they are on the same subnet?

Best

I think it is possible Kubuntu 21.10 is using nftables, looking things up someone had a similar problem and it was because nftables was being used with no rules being displayed by iptables.(https://unix.stackexchange.com/quest...being-rejected)

Best

That was it! Based on that post, executing

worked and now I can connect to services running on the machine.

I'll have to read up more on nftables at some point, but it's kinda confusing that iptables is "blind" to it, and since iptables is kernel-level you think it'd have the highest priority.

Reply to an old post.

I had the same problem with vsftpd on Fedora 36. The 'systemctl disable firewalld' solved the problem. Thanks.

The proper way to handle that is to configure the firewalld service.
This will open the FW on TCP/22 for all addresses.
For individual addresses, rich-rules can be used.
https://access.redhat.com/documentat...anguage_syntax