Check if a Port is Blocked with Netcat / Ncat

If you’re unable to connect to FTP, MySQL, or another service on your server, the port could be blocked by a firewall at any points before the actual software:

• Local workstation
• Local network router
• Virtual private network (VPN) or proxy
• DNS Resolver
• Internet service provider (ISP) (e.g. Verizon)
• Web application firewall (WAF) (e.g. Sucuri)
• Content delivery network (CDN) (e.g. Cloudflare)
• Web server

You can scan server firewall logs for your IP address to troubleshoot the issue. But an easy way to troubleshoot this is by checking if the port is blocked by the server or your network. There are many online tools available for port scanning your web server and local router, including CanYouSeeMe.org and MXtoolbox.com. But you must be careful with these third party tools as there’s no way to know what they’ll do with your activity afterwards.

Instead, we’ll show you how to do this yourself from the command-line interface (CLI).

• Install Netcat/Ncat
• Scan a Single Port with Netcat / Ncat
  • Netcat / Nc
  • Ncat

Install Netcat/Ncat

Linux and macOS users can quickly check if a port is open in the terminal with pre-installed Nc (and Netcat on Linux).

Windows users will need to install Netcat’s successor, Ncat, made by the Nmap project.

Both are good for seeing if a specific port is open on a local network, VPN, or server. Most operating systems can install Ncat alongside Nmap (best for scanning multiple ports) and it’s GUI application Zenmap.

Scan a Single Port with Netcat / Ncat

The basic command format is the program name, domain / server IP / server hostname (temporary URL excluding the username), and port number.

nc domain.com port

netcat domain.com port

ncat domain.com port

We recommend the following parameters when scanning with Netcat, Nc, or Ncat:

• -z – See if the port is open without sending data
• -v – Show verbose information
• -w – Set a timeout between the client and the target node, otherwise Netcat will continue trying until a connection is made or you manually close the attempt (Ctrl + C)

Netcat / Nc

To attempt to connect to port 21 (FTP) on a domain but timeout after 15 seconds if there’s no response:

nc -vzw 15 domain.com 21

netcat -vzw 15 domain.com 21

If successful, you’ll see:

Connection to domain.com 21 port [tcp/ftp] succeeded!

If the port connection is blocked or rejected, you’ll see:

nc: connect to domain port 21 (tcp) failed: Connection refused

If the remote node’s firewall drops the connection request, it may timeout:

nc: connect to domain.com port 21 (tcp) timed out: Operation now in progress

Ncat

The format is the same with Ncat – “ncat,” parameters, the domain / server IP / server hostname (excluding your username), and the port number.

To check if port 22 (SSH) is open on a web server with it’s IP address:

ncat -vz 1.2.3.4 22

Add -w # to specify a timeout (15 seconds in this example):

ncat -vzw 15 1.2.3.4 22

If successful, you’ll see:

Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Connected to 1.2.3.4:21.
Ncat: 0 bytes sent, 0 bytes received in 0.04 seconds.

If unsuccessful, you’ll see:

Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Connection refused.

Learn more about Nc or Ncat with the manual:

man nc

man ncat

Let us know if you have any questions about Netcat or Ncat.