How to Check if a Port is Blocked with Netcat / Ncat

If you’re unable to connect to FTP, MySQL, or another service on your server, the port could be blocked by a firewall at many points before the actual software:

You can scan server firewall logs for your IP address to troubleshoot the issue. But an easy way to troubleshoot this is by checking if the port is blocked by the server or your network. There are many online tools available for port scanning your web server and local router, including CanYouSeeMe.org and MXtoolbox.com. But you must be careful with these third party tools as there’s no way to know what they’ll do with your activity afterwards.

Linux and macOS users can quickly check if a port is open in the terminal with pre-installed Nc (and Netcat on Linux).

Windows users will need to install Netcat’s successor, Ncat, made by the Nmap project.

Both are good for seeing if a specific port is open on a local network, VPN, or server. Most OSs can install Ncat alongside Nmap (best for scanning multiple ports) or it’s GUI application Zenmap.

Below we cover how to check if a port is blocked with Netcat and Ncat.

Scan a Single Port with Netcat / Ncat

The basic command format is the program name, domain / server IP / server hostname (part of your temporary URL), and port number.

nc domain.com port
netcat domain.com port
ncat domain.com port

We recommend the following parameters when scanning with Netcat, Nc, or Ncat:

  • -z – See if the port is open without sending data
  • -v – Show verbose information
  • -w – Set a timeout between the client and the target node, otherwise Netcat will continue trying until a connection is made or you manually close the attempt (Ctrl + C)

Netcat / Nc

To attempt to connect to port 21 (FTP) on a domain but timeout after 15 seconds if there’s no response:

nc -vzw 15 domain.com 21
netcat -vzw 15 domain.com 21

If successful, you’ll see:

Connection to domain.com 21 port [tcp/ftp] succeeded!

If the port connection is blocked or rejected, you’ll see:

nc: connect to domain port 21 (tcp) failed: Connection refused

If the remote node’s firewall drops the connection request, it may timeout:

nc: connect to domain.com port 21 (tcp) timed out: Operation now in progress

Ncat

The format is the same with Ncat – ncat, parameters, the domain / server IP / server hostname (part of your temporary URL), and the port number.

To check if port 22 (SSH) is open on a web server with it’s IP address:

ncat -vz 1.2.3.4 22

Add -w # to specify a timeout (15 in this example):

ncat -vzw 15 1.2.3.4 22

If successful, you’ll see:

Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Connected to 1.2.3.4:21.
Ncat: 0 bytes sent, 0 bytes received in 0.04 seconds.

If unsuccessful, you’ll see:

Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Connection refused.

Learn more about Nc or Ncat with the manual:

man nc
man ncat

Have questions about Netcat or Ncat? Let us know in our Community Support Center.

Ask us how you can develop your next web app with our Cloud Server Hosting.

Was this article helpful? Let us know!