Find the answer to your Linux question:
Results 1 to 6 of 6
Network scenario: I have a static IP on my home network, no ports are blocked by my ISP (I called and asked just to be certain.) Router is a Linksys ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2008
    Posts
    8

    Angry Yet another port 22 connection refused


    Network scenario:

    I have a static IP on my home network, no ports are blocked by my ISP (I called and asked just to be certain.) Router is a Linksys WRT-54GL that was running Tomato, then I reverted back to the Linksys firmware today for troubleshooting. Port forwarding is set up correctly - I can remotely connect to every port forward I set up on various devices (webcams, router, Ubiquiti network products) except port 22 on two different hosts.

    Problem evolution:

    I have a weather server (FIT-PCslim running Ubuntu) sitting on my lan. When I travel, I ssh into the box to look over the logs, do package updates, etc. For months, I could ssh (PuTTY or using a Linux box) into the FIT from the outside, then all of a sudden I started to get "connection refused."

    As a work-around, I set up Webmin on the FIT so I could do remote management, and that worked out extremely well. It is interesting to note that when I tried to use Webmin's SSH2 utility, that got a refused connection as well.

    Troubleshooting I have done:

    - The firewall is set up to accept all. iptables -L shows policy ACCEPT

    - sshd is running, ssh works fine as long as I'm on my local lan

    - I tried a SheevaPlug (Debian Lenny) to see if I had the same result, and I get the same connection refused with it as well

    - Reverted the router back to the latest Linksys firmware - same result

    - There are absolutely no log entries anywhere in the hosts that indicated a remote login attempt, local logins are reported, so I don't think it is an auth problem

    - The router log doesn't list any incoming connection attempt on port 22

    - I changed port 22 to another port - local ssh worked, remote was still refused

    - I can remotely access port 80, and remotely access port 10000 (Webmin) on each of the two hosts, not port 22

    Over the last three months, I must have spent 20 hours fiddling around and researching the problem. I must be overlooking something critical over and over again; at this point, I am pretty much out of ideas and things to try

    Thanks -John

  2. #2
    Linux Engineer Segfault's Avatar
    Join Date
    Jun 2008
    Location
    Acadiana
    Posts
    878
    ... except port 22 on two different hosts.
    This is kind of unclear.
    You have port 22 forwarded to two different hosts?
    You could forward port 22 to host1 port 22, and port 23 to host2 port 22. This way you could access two different hosts just by choosing port for outside connection.

    If this is not what you are looking for please describe your setup in more detail.

  3. #3
    Just Joined!
    Join Date
    Oct 2008
    Posts
    8

    Cool

    Sorry I wasn't more specific - I have on my lan:

    Two Toshiba web cams
    A FIT-PC slim host running Ubuntu 9-something
    A SheevaPlug host running Debian Lenny
    A remote power controller to power cycle up to four devices
    A Ubiquiti Bullet
    A Ubiquiti NanoLoco

    Each device or host on the lan has their own 192 address (of course) and in the router I forward specific ports to specific addresses. For troubleshooting I would forward incoming port 22 to either the FIT OR the SheevaPlug, not both at once . I normally do not have the SheevaPlug on the lan, it's there for troubleshooting at the moment.

    I also have an additional ISP running at the place, so I can go out on an entirely network to come in to my home lan.

    I just looked at TCP wrappers and that is configured to accept anything for any daemon. It is looking like something is stopping the port 22 request before it gets to sshd since there is no log entry on the attempt.


  4. $spacer_open
    $spacer_close
  5. #4
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    There are configuration files that block services. Even though I can't remember where they were, nore if it was the tcpwrappers library, but this may be a clue?

    Generally I would nail down the problem by powering off all hosts and reverting the configuration to default (no forwarding). Afterwards power on and configure the forwards for each single device one by one.

    With more than one machine inside a lan that can be accessed forwards get really confusing. I would consider at this point to use one of the servers as single entry point from which one can "travel" to the others. This makes it much easier to maintain.

  6. #5
    Just Joined!
    Join Date
    Oct 2008
    Posts
    8
    Quote Originally Posted by Kloschüssel View Post
    There are configuration files that block services. Even though I can't remember where they were, nore if it was the tcpwrappers library, but this may be a clue?
    With no log entry made in auth on a refused connection attempt, that tells me the service is being blocked somehow.

    As far as I know, the possibilities on the host to block the traffic are - TCP wrappers or the firewall.

    Then the other possibility is a routing problem. I am discounting this since I have no issue forwarding various other ports. My network is a little complicated, so I took the time to make a map so I could keep everything configured properly.

    I think what I might try next is to get my wife's Linux box set up for incoming ssh and see what happens.

    This problem has completely kicked my butt, I have a feeling it is something simple but I must keep overlooking the obvious

  7. #6
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    The obvious could be either:

    * a NAT problem (misconfigured routing) - perfectly
    * a firewall problem (either tcp wrappers or iptables)

    happy debugging. *ehm* you could simply change the IP of another pc to the not working one and see if packets come along? at least you could then say that the problem is the server itself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •