Check tcp connections and firewall rules across networks using nc

by | Aug 5, 2020 | howto

Larger companies have a big network with different network segments. Often they have active components like routers and firewalls inside the network to avoid bad traffic and unauthorized connections. If you now like to implement a new (open source) software, which needs a connection to another server, you have to ensure that the connection is possible. You have two options for solving this problem. We’ll look into both of them.

The first solution would be to ask the guys from the network team, if the connection is possible. For single connections this solution should be ok, but what about more than one connection? The network guys would have to spent a lot of time on checking your requirements.

The better way is to check it by yourself using netcat (nc). This way you can be sure that everything is fine or, if it is not, involve the network team to fix the issue by implementing a firewall rule for example.

It’s very easy to check whether a connection is possible by using nc on two Linux boxes. Assuming we have two linux boxes – box1 and box2 – located in different networks in different data centers. Now, you would like to know whether a tcp connection from box1 to box2 is possible by using port 2000.

First, check whether nc is installed on both boxes. If you have verified this, you can configure nc to listen on port 2000 on box2 which acts as target for box1.

box2:# nc -l -p 2000 -k

This command means that nc will listen for incoming connections on port 2000 on all interfaces.

Now you can check if connections are possible from box1 to box2 by using nc on box1 as follows:

box1:# echo "Connection from box1 to box2 is possible" | nc <name-or-ip-of-box2> 2000

To verify if connections are made, take a look into the console on box2, it should display the message you send from box1:

Connection from box1 to box2 is possible

If you can read the message which you sent from box1, you know the connections are possible. Close the connection via ctrl+c on the sending side, namely box1.

Useful options for nc are:

  • -l, listen mode
  • -p, source port
  • -k, stay listening for another connection

The -k option is very useful for checking if connections are possible from many sources to one dedicated target like:

  • box1 -> box2
  • box3 -> box2
  • box4 -> box2
  • box5 -> box2
  • box6 -> box2

If you don’t use the -k option in this scenario, you should execute the nc command every time you try to test a connection.

In a nutshell

When you have to ensure that a connection between two or more servers is possible, please first check at your end before you involve the guys from the network team. Using netcat (nc) for this purpose is a quick and handy way to check this scenario at your end before involving other teams.

Tim Schmeling
Tim has been at B1 since 2017 and runs a large cloud for an international company with his team. When he's not in the clouds or with customers, he works on high availability, clustering and SAP HANA. He also passes on his knowledge as a trainer.