How to Check Linux Firewall/Port Denial Logs: Debugging Connection Refusals (iptables, SELinux, SSH)


2 views

When a connection gets blocked in Linux, the logging location depends on which security layer denied it:


# 1. iptables/nftables logging (most common):
/var/log/kern.log
/var/log/syslog
/var/log/messages

# 2. SELinux denials:
/var/log/audit/audit.log

# 3. TCP Wrappers (if used):
/var/log/secure

To log dropped packets on port 21 (FTP) in iptables:


# Add these rules BEFORE your DROP rules:
iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "IPTABLES PORT 21 DENIED: "
iptables -A INPUT -p tcp --dport 21 -j DROP

# For your custom SSH port (8022):
iptables -A INPUT -p tcp --dport 8022 -j LOG --log-prefix "SSH PORT 8022 DENIED: "
iptables -A INPUT -p tcp --dport 8022 -j DROP

If changing SSH ports, SELinux needs context updates:


# Check current port assignments:
semanage port -l | grep ssh

# Add custom SSH port:
semanage port -a -t ssh_port_t -p tcp 8022

# Debug SELinux denials:
grep "avc:.*denied" /var/log/audit/audit.log | audit2why

For your SSH port 8022 issue, verify these:


# 1. Confirm sshd is listening:
ss -tulnp | grep 8022
netstat -tulnp | grep 8022

# 2. Verify sshd config:
grep "Port " /etc/ssh/sshd_config

# 3. Check for TCP Wrappers:
grep "sshd" /etc/hosts.deny

For modern systems using systemd:


journalctl -u sshd --since "1 hour ago" | grep "refused"
journalctl -k --grep="DROP"  # Kernel-level drops

When troubleshooting connectivity issues in Linux, "Connection refused" typically indicates one of three scenarios:

  • The target service isn't running on the specified port
  • A firewall rule (iptables/nftables) is blocking the connection
  • SELinux policies are preventing the connection

For firewall-related denials:

/var/log/kern.log      # Ubuntu/Debian
/var/log/messages     # RHEL/CentOS
/var/log/syslog       # General system logs

For SELinux denials:

/var/log/audit/audit.log

To check active iptables rules:

sudo iptables -L -n -v
sudo iptables -t nat -L -n -v

To monitor firewall drops in real-time:

sudo tail -f /var/log/kern.log | grep DROP

For SELinux troubleshooting:

sudo ausearch -m avc -ts recent  # View recent denials
sudo sealert -a /var/log/audit/audit.log  # Human-readable analysis

When encountering "Connection refused" on a custom SSH port:

  1. Verify SSH is actually listening on the port:
    2. sudo ss -tulnp | grep 8022
sudo netstat -tulnp | grep 8022
  2. Check for SELinux context issues:
    3. sudo semanage port -l | grep ssh
sudo semanage port -a -t ssh_port_t -p tcp 8022
  3. Inspect packet drops in kernel logs:
    4. sudo grep -i "DROP.*8022" /var/log/kern.log

For persistent logging of dropped packets, add these iptables rules:

sudo iptables -I INPUT -p tcp --dport 8022 -j LOG --log-prefix "IPTABLES-DROP: "
sudo iptables -I INPUT -p tcp --dport 8022 -j DROP

To make these rules persistent:

sudo apt-get install iptables-persistent  # Debian/Ubuntu
sudo service netfilter-persistent save