How do I get netcat to accept connections from outside the LAN?
Asked Answered
G

3

41

I'm using netcat as a backend to shovel data back and forth for a program I'm making. I tested my program on the local network, and once it worked I thought it would be a matter of simply forwarding a port from my router to have my program work over the internet. Alas! This seems not to be the case.

If I start netcat listening on port 6666 with:

nc -vv -l -p 6666,

then go to 127.0.0.1:6666 in a browser, as expected I see a HTTP GET request come through netcat (and my browser sits waiting in vain). If I go to my.external.ip.address:6666, however, nothing comes through at all and the browser displays 'could not connect to my.external.ip.address:6666'.

I know that the port is correctly forwarded, as www.canyouseeme.org says port 6666 is open (and when netcat is not listening, that its closed).

If I run netcat with -g my.adslmodem's.local.address to set the gateway address, I get the same behavior. Am I using this command line option correctly? Any insight as to what I'm doing wrong?

Gallbladder answered 31/3, 2010 at 11:43 Comment(0)
G
24

Turns out there is no problem. It only appears that way because my router doesn't allow hairpin connections. That is, even though I've got it set up correctly, the router wouldn't make the connection when both source and destination are behind the NAT. Simply ncat -l -p 6666 works fine, so long as the request comes from outside the LAN. To test this I browsed to my.external.ip.address:6666 with my 3G mobile phone and sure enough, a HTTP request came through :)

This answer came from: a serverfault question, which is where I should have asked this question in the first place. Apologies for that.

Gallbladder answered 31/3, 2010 at 12:29 Comment(2)
Hah. No worries. I asked a similar question on SF and they thought it was too newbish. I couldn't tell what a "hairpin" connection was (and people kept referencing "hairpin NAT" and telling me to RTFM) until I just read this answer. Thanks.Accessible
It worked for me too. I didn't use 0.0.0.0. As you said, only port on target machine. Thanks!Lorilee
I
43

You must listen on the public interface. You're currently listening on localhost where no one outside of your computer can connect.

Your milage may vary, but with my implementation of netcat I have to use this command line to listen on all the public interfaces.

netcat -vv -l 0.0.0.0 6666

Ineffectual answered 31/3, 2010 at 11:48 Comment(3)
Thanks for your answer. I don't think that's the case, as netcat happily receives connections from other computers on my network. Also when it starts it displays "listening on [any] 6666 ...". I tried your suggestion (with "-p" before the port, else it picks a random port) and got "0.0.0.0: inverse host lookup failed: Unknown host" :(Gallbladder
Works on Cygwin too (nc)Caddis
Great :) Works for meFourgon
G
24

Turns out there is no problem. It only appears that way because my router doesn't allow hairpin connections. That is, even though I've got it set up correctly, the router wouldn't make the connection when both source and destination are behind the NAT. Simply ncat -l -p 6666 works fine, so long as the request comes from outside the LAN. To test this I browsed to my.external.ip.address:6666 with my 3G mobile phone and sure enough, a HTTP request came through :)

This answer came from: a serverfault question, which is where I should have asked this question in the first place. Apologies for that.

Gallbladder answered 31/3, 2010 at 12:29 Comment(2)
Hah. No worries. I asked a similar question on SF and they thought it was too newbish. I couldn't tell what a "hairpin" connection was (and people kept referencing "hairpin NAT" and telling me to RTFM) until I just read this answer. Thanks.Accessible
It worked for me too. I didn't use 0.0.0.0. As you said, only port on target machine. Thanks!Lorilee
T
14

To specify a listening address:

nc -l -s <LISTENING_IP_ADDR> -p <LISTENING_PORT>

Tested on a Debian Jessie with netcat-traditional-1.10-41

Truehearted answered 5/7, 2016 at 6:49 Comment(3)
It's not possible to use both -l and -s together.Violist
@benedikt: some nc versions can, some cannot. nc.traditional on Debian can: nc -l -s 192.168.18.100 -p 6666 Instead /bin/nc.openbsd on Ubuntu cannot: nc -l -s 192.168.244.163 -p 6666 nc: cannot use -s and -lTruehearted
Thanks for the clarificationViolist

© 2022 - 2024 — McMap. All rights reserved.