Articles

strace Trace Network Syscalls: connect, bind, recv, send (2026)

April 6, 2026 4 min read

connect is failing because the target service isn’t listening on the specified IP address and port, or a firewall is actively blocking the connection.

Here are the common culprits and how to diagnose them:

1. Service Not Running or Listening: The most frequent reason connect fails is that the server process simply isn’t active or isn’t bound to the IP/port you’re trying to reach.

  • Diagnosis: On the server, run ss -tulnp | grep :<port> (replace <port> with the port number). For example, ss -tulnp | grep :8080.
  • Fix: Start or restart the service. Ensure its configuration correctly specifies the listening address (e.g., 0.0.0.0:<port> for all interfaces, or a specific IP like 192.168.1.10:<port>).
  • Why it works: ss shows which ports are in a listening state. If your service isn’t in the output, it’s not ready to accept connections. Binding to 0.0.0.0 makes it listen on all available network interfaces.

2. Incorrect IP Address or Port: You’re trying to connect to the wrong place. This can happen if the server’s IP changed, or if you mistyped the port number in your client configuration.

  • Diagnosis: Verify the server’s actual IP address (ip addr show) and confirm the port it’s configured to listen on. Double-check your client’s configuration for the correct destination IP and port.
  • Fix: Update your client’s configuration with the correct IP address and port.
  • Why it works: connect requires a valid socket address (IP and port) to establish a connection. If either is wrong, the attempt will fail.

3. Firewall Blocking: A host-based firewall (like iptables or firewalld on Linux) or a network firewall is preventing traffic from reaching the server’s port.

  • Diagnosis:
    • On the server, check iptables -L -n -v or firewall-cmd --list-all. Look for rules that might DROP or REJECT traffic on the target port.
    • From the client, try telnet <server_ip> <port> or nc -zv <server_ip> <port>. If these also fail, it strongly suggests a network or host firewall issue.
  • Fix: Add an ACCEPT rule to the firewall. For iptables: iptables -A INPUT -p tcp --dport <port> -j ACCEPT. For firewalld: firewall-cmd --zone=public --add-port=<port>/tcp --permanent followed by firewall-cmd --reload.
  • Why it works: Firewalls act as gatekeepers. Explicitly allowing TCP traffic on the specific port on the server’s firewall ensures that packets aren’t dropped before they reach the listening service.

4. Network Address Translation (NAT) Issues: If the server is behind a NAT device (like a home router or a corporate firewall performing NAT), the port forwarding might not be configured correctly, or the NAT device itself might be blocking the traffic.

  • Diagnosis: Ensure port forwarding is correctly set up on the NAT device, mapping the external IP/port to the internal IP/port of the server. Test connectivity from an external network if possible.
  • Fix: Configure or correct the port forwarding rules on the NAT device.
  • Why it works: NAT devices translate private IP addresses to public ones. For incoming connections, port forwarding tells the NAT device which internal machine should receive traffic destined for a specific external port.

5. TCP Wrappers (/etc/hosts.allow, /etc/hosts.deny): Older systems or specific configurations might use TCP wrappers to control access to services.

  • Diagnosis: Check the contents of /etc/hosts.allow and /etc/hosts.deny on the server. Look for entries related to the service you’re trying to connect to.
  • Fix: Add an entry to /etc/hosts.allow permitting the client’s IP address or network for the specific service (e.g., sshd: 192.168.1.5 or ALL: 192.168.1.0/24). Ensure /etc/hosts.deny doesn’t have a blanket DENY that overrides it.
  • Why it works: TCP wrappers provide an additional layer of access control before the application even receives the connection attempt.

6. SELinux or AppArmor Restrictions: Mandatory Access Control systems like SELinux or AppArmor can prevent processes from binding to certain ports or performing network operations, even if firewall rules permit it.

  • Diagnosis: Check SELinux status with sestatus and audit logs (/var/log/audit/audit.log) for AVC denials. For AppArmor, check aa-status and system logs (/var/log/syslog or journalctl).
  • Fix: Temporarily set SELinux to permissive mode (setenforce 0) to test. If it works, you’ll need to create specific SELinux policies or use semanage port -a -t <port_type> -p tcp <port> to allow the service to bind to the port. For AppArmor, adjust the profile in /etc/apparmor.d/.
  • Why it works: SELinux/AppArmor confines processes to specific actions. If the service’s policy doesn’t allow network operations on the configured port, the kernel will block it.

After fixing these, the next error you’ll likely encounter is a Connection refused if the service is running but not listening on that specific IP address (e.g., listening on 127.0.0.1 but you’re trying to connect via its public IP), or a timeout if packets are being dropped somewhere further down the network path.

More Deep Dives in Strace

Want structured learning?

Take the full Strace course →