Can access SSH locally but not from the internet

[vytas]

Hello,

After troubleshooting for a few hours I give up now and ask for your help.

I want to access LAN PC (let's call it SSH Server) using SSH from the internet through the firewall. I can't do that. It says "Connection timed out". However I can access SSH server locally with no problems.

Firewall is Slackware. SSH server is also Slackware. For firewall I use iptables.
The strange thing is that there is another server in the LAN (let's call it Backup server) which is also running Slackware and I can access it with SSH from the internet without problems even though the configuration of both Backup server and SSH server is identical and Firewall's PREROUTING rules seem to be identical for both LAN servers.

I will try to give you as much information as I can strightaway. Can you please help me with this?

First, I don't think this is routing problem because when I try to log all incomming and outgoing packets in SSH server using:

Code:

iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG

... I see three SSH INPUT requests from my remote machine (that means forwarding should be OK), but no OUTPUT packets at all. It seems like SSH server refuses to answer to SSH requests. Note that there are no other iptables rules in SSH server except those two rules with LOG target.

Firewall iptable rules:

Code:

#!/bin/bash

# Flush all rules, and all custom tables
iptables --flush
iptables --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain
iptables -t mangle --flush
iptables -t mangle --delete-chain

# Set default policies for all three default chains
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT

# It's probably save to let all the output go freely
iptables -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Don't restrict activity from local network
iptables -A INPUT -s 10.1.1.0/24 -j ACCEPT

# Allow SSH
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Backup server - WORKS OK
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22299 -m state --state NEW -s <REMOTE-IP> -d <PUBLIC-IP> -j DNAT --to-destination 10.1.1.16:22

# SSH Server - THIS DOESN'T WORK!
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22298 -m state --state NEW -s <REMOTE-IP> -d <PUBLIC-IP> -j DNAT --to-destination 10.1.1.17:22

# NAT to public IP
# NAT connections from Altas main LAN
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j SNAT --to-source <PUBLIC-IP>
# NAT connections from Altas wireless LAN
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source <PUBLIC-IP>

Firewall ifconfig:

Code:

eth0      Link encap:Ethernet  HWaddr 00:15:5D:01:0C:00  
          inet addr:<PUBLIC-IP>  Bcast:***.***.***.***  Mask:255.255.255.0
          inet6 addr: fe80::215:5dff:fe01:c00/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:57311080 errors:0 dropped:32024 overruns:0 frame:0
          TX packets:45788244 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1074957452 (1025.1 Mb)  TX bytes:4094642512 (3904.9 Mb)
          Interrupt:9 Base address:0xa000 

eth1      Link encap:Ethernet  HWaddr 00:15:5D:01:0C:03  
          inet addr:10.1.1.254  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::215:5dff:fe01:c03/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:46499683 errors:0 dropped:1285 overruns:0 frame:1
          TX packets:50192272 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:67554592 (64.4 Mb)  TX bytes:774704708 (738.8 Mb)
          Interrupt:9 Base address:0xe000 

eth1:2    Link encap:Ethernet  HWaddr 00:15:5D:01:0C:03  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:9 Base address:0xe000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:68 errors:0 dropped:0 overruns:0 frame:0
          TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:7368 (7.1 Kb)  TX bytes:7368 (7.1 Kb)

Firewall route -n:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
***.***.***.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         ***.***.***.1    0.0.0.0         UG    0      0        0 eth0
0.0.0.0         ***.***.***.1    0.0.0.0         UG    1      0        0 eth0

SSH server ifconfig:

Code:

eth0      Link encap:Ethernet  HWaddr 00:15:5D:01:0C:0F  
          inet addr:10.1.1.17  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::215:5dff:fe01:c0f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:212908 errors:0 dropped:11 overruns:0 frame:0
          TX packets:263257 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:15572880 (14.8 Mb)  TX bytes:362528007 (345.7 Mb)
          Interrupt:9 Base address:0x6000 

eth0:1    Link encap:Ethernet  HWaddr 00:15:5D:01:0C:0F  
          inet addr:10.1.1.251  Bcast:10.1.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:9 Base address:0x6000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:200 (200.0 b)  TX bytes:200 (200.0 b)

SSH Server route -n:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

[Rubberman]

Start simple. Are you using a hardware firewall/router, or are you using a Linux system for that purpose? Dumping a lot of data on us is not conducive to getting much help since it is a big PITA to read/analyze it all...

[vytas]

Start simple. Are you using a hardware firewall/router, or are you using a Linux system for that purpose? Dumping a lot of data on us is not conducive to getting much help since it is a big PITA to read/analyze it all...

Sorry for that.

It's not hardware router, we use Linux PC for that.

[vytas]

Ok, so I've found the problem
route -n of SSH server looks like this:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

Here I noticed that the default Gateway isn't configured so SSH server doesn't even know that the world doesn't end with the firewall
Thanks for reading.