Find the answer to your Linux question:
Results 1 to 4 of 4
Hello, After troubleshooting for a few hours I give up now and ask for your help. I want to access LAN PC (let's call it SSH Server) using SSH from ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17

    Can access SSH locally but not from the internet


    Hello,

    After troubleshooting for a few hours I give up now and ask for your help.

    I want to access LAN PC (let's call it SSH Server) using SSH from the internet through the firewall. I can't do that. It says "Connection timed out". However I can access SSH server locally with no problems.

    Firewall is Slackware. SSH server is also Slackware. For firewall I use iptables.
    The strange thing is that there is another server in the LAN (let's call it Backup server) which is also running Slackware and I can access it with SSH from the internet without problems even though the configuration of both Backup server and SSH server is identical and Firewall's PREROUTING rules seem to be identical for both LAN servers.

    I will try to give you as much information as I can strightaway. Can you please help me with this?

    First, I don't think this is routing problem because when I try to log all incomming and outgoing packets in SSH server using:
    Code:
    iptables -A INPUT -j LOG
    iptables -A OUTPUT -j LOG
    ... I see three SSH INPUT requests from my remote machine (that means forwarding should be OK), but no OUTPUT packets at all. It seems like SSH server refuses to answer to SSH requests. Note that there are no other iptables rules in SSH server except those two rules with LOG target.

    Firewall iptable rules:
    Code:
    #!/bin/bash
    
    # Flush all rules, and all custom tables
    iptables --flush
    iptables --delete-chain
    iptables -t nat --flush
    iptables -t nat --delete-chain
    iptables -t mangle --flush
    iptables -t mangle --delete-chain
    
    # Set default policies for all three default chains
    iptables -P INPUT DROP
    iptables -P FORWARD ACCEPT
    
    # It's probably save to let all the output go freely
    iptables -P OUTPUT ACCEPT
    
    # Enable free use of loopback interfaces
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    # All TCP sessions should begin with SYN
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    
    # Don't restrict activity from local network
    iptables -A INPUT -s 10.1.1.0/24 -j ACCEPT
    
    # Allow SSH
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Backup server - WORKS OK
    iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22299 -m state --state NEW -s <REMOTE-IP> -d <PUBLIC-IP> -j DNAT --to-destination 10.1.1.16:22
    
    # SSH Server - THIS DOESN'T WORK!
    iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22298 -m state --state NEW -s <REMOTE-IP> -d <PUBLIC-IP> -j DNAT --to-destination 10.1.1.17:22
    
    # NAT to public IP
    # NAT connections from Altas main LAN
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j SNAT --to-source <PUBLIC-IP>
    # NAT connections from Altas wireless LAN
    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source <PUBLIC-IP>
    Firewall ifconfig:
    Code:
    eth0      Link encap:Ethernet  HWaddr 00:15:5D:01:0C:00  
              inet addr:<PUBLIC-IP>  Bcast:***.***.***.***  Mask:255.255.255.0
              inet6 addr: fe80::215:5dff:fe01:c00/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:57311080 errors:0 dropped:32024 overruns:0 frame:0
              TX packets:45788244 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:1074957452 (1025.1 Mb)  TX bytes:4094642512 (3904.9 Mb)
              Interrupt:9 Base address:0xa000 
    
    eth1      Link encap:Ethernet  HWaddr 00:15:5D:01:0C:03  
              inet addr:10.1.1.254  Bcast:10.1.1.255  Mask:255.255.255.0
              inet6 addr: fe80::215:5dff:fe01:c03/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:46499683 errors:0 dropped:1285 overruns:0 frame:1
              TX packets:50192272 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:67554592 (64.4 Mb)  TX bytes:774704708 (738.8 Mb)
              Interrupt:9 Base address:0xe000 
    
    eth1:2    Link encap:Ethernet  HWaddr 00:15:5D:01:0C:03  
              inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              Interrupt:9 Base address:0xe000 
    
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:68 errors:0 dropped:0 overruns:0 frame:0
              TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:7368 (7.1 Kb)  TX bytes:7368 (7.1 Kb)
    Firewall route -n:
    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    ***.***.***.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
    10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         ***.***.***.1    0.0.0.0         UG    0      0        0 eth0
    0.0.0.0         ***.***.***.1    0.0.0.0         UG    1      0        0 eth0
    SSH server ifconfig:
    Code:
    eth0      Link encap:Ethernet  HWaddr 00:15:5D:01:0C:0F  
              inet addr:10.1.1.17  Bcast:10.1.1.255  Mask:255.255.255.0
              inet6 addr: fe80::215:5dff:fe01:c0f/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:212908 errors:0 dropped:11 overruns:0 frame:0
              TX packets:263257 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:15572880 (14.8 Mb)  TX bytes:362528007 (345.7 Mb)
              Interrupt:9 Base address:0x6000 
    
    eth0:1    Link encap:Ethernet  HWaddr 00:15:5D:01:0C:0F  
              inet addr:10.1.1.251  Bcast:10.1.1.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              Interrupt:9 Base address:0x6000 
    
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:4 errors:0 dropped:0 overruns:0 frame:0
              TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:200 (200.0 b)  TX bytes:200 (200.0 b)
    SSH Server route -n:
    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,709
    Start simple. Are you using a hardware firewall/router, or are you using a Linux system for that purpose? Dumping a lot of data on us is not conducive to getting much help since it is a big PITA to read/analyze it all...
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17
    Quote Originally Posted by Rubberman View Post
    Start simple. Are you using a hardware firewall/router, or are you using a Linux system for that purpose? Dumping a lot of data on us is not conducive to getting much help since it is a big PITA to read/analyze it all...
    Sorry for that.

    It's not hardware router, we use Linux PC for that.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17
    Ok, so I've found the problem
    route -n of SSH server looks like this:

    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    Here I noticed that the default Gateway isn't configured so SSH server doesn't even know that the world doesn't end with the firewall
    Thanks for reading.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •