Find the answer to your Linux question:
Results 1 to 4 of 4
I'm running FC4 (2.6.11-1.1369) on both the local host and the remote host, and both are on the same network (192.168.0.xxx). The two hosts can ping each other but when ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2005
    Posts
    23

    ssh: no route to host


    I'm running FC4 (2.6.11-1.1369) on both the local host and the remote host, and both are on the same network (192.168.0.xxx). The two hosts can ping each other but when I attempt to ssh from one host to the other I got the following error:

    Code:
    ssh: connect to host 192.168.0.2 port 22: No route to host
    I checked that the sshd is running on the remote host I'm attempting to ssh to:

    Code:
    [tnguy@localhost ~]$ /etc/rc.d/init.d/sshd status
    sshd (pid 2462) is running...
    I also checked the settings of my router and it is not set up to block any services nor to do any port forwarding.

    I have my firewall turned on, however. Here is my iptables:

    Code:
    [root@localhost ~]# iptables -L
    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere
    
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    
    Chain RH-Firewall-1-INPUT (2 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT icmp -- anywhere anywhere icmp any
    ACCEPT ipv6-crypt-- anywhere anywhere
    ACCEPT ipv6-auth-- anywhere anywhere
    ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
    ACCEPT udp -- anywhere anywhere udp dpt:ipp
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
    [root@localhost ~]#
    I don't want to turn off my firewall unless I absolutely have to. If anyone can point out which rule(s) in my iptables are causing the problem and how to modify those rules to allow ssh (without compromising the rest of the system security), I would appreciate that.

  2. #2
    Linux Engineer
    Join Date
    Apr 2005
    Location
    Buenos Aires, Argentina
    Posts
    908
    Can you ssh to localhost on 192.168.0.2?
    serzsite.com.ar
    "All the drugs in this world won\'t save you from yourself"

  3. #3
    Just Joined!
    Join Date
    Jun 2005
    Posts
    4
    My iptables:

    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh


    I think that you should open the ssh-port for incoming connections (modify your firewall settings and securelinux settings). You can use x-tools for this. Good luck!

  4. #4
    Just Joined!
    Join Date
    Jun 2005
    Posts
    23
    I posted on another Linux site and a user helped me solve my problem by using the /usr/bin/system-config-securitylevel tool to configure my firewall. (Under gnome, run Desktop->System Settings->Security Level. On the Firewall Options tab, check the SSH box in the "Trusted Services" window.)

    However, I have another related question. Here is my new iptables after enabling ssh service:

    Code:
    [root@localhost ~]# iptables -L -v --line-numbers
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere
    
    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    
    Chain RH-Firewall-1-INPUT (2 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    2        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp any
    3        0     0 ACCEPT     ipv6-crypt--  any    any     anywhere             anywhere
    4        0     0 ACCEPT     ipv6-auth--  any    any     anywhere             anywhere
    5        0     0 ACCEPT     udp  --  any    any     anywhere             224.0.0.251         udp dpt:5353
    6        0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:ipp
    7        0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    8        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
    9        0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited
    The only difference between this new iptables and the old one is the addition of one new rule in the RH-Firewall-1-INPUT chain:

    Code:
    8        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
    Now, I can understand why this new rule is needed because the rule#1 and rule#7 in the RH-Firewall-1-INPUT chain do not apply, only packets coming into the loopback interface and packets belonging to an existing connection are accepted, respectively.

    However, what I don't understand is that I've been browsing and purchasing stuff on the Internet and there are no rules for accepting new incoming HTTP and HTTPS packets !?

    As a demonstration, I use the system-config-securitylevel tool to enable HTTP and HTTPS services in the firewall and my new iptables is:

    Code:
    [root@localhost ~]# iptables -L -v --line-numbers
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere
    
    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    
    Chain RH-Firewall-1-INPUT (2 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    2        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp any
    3        0     0 ACCEPT     ipv6-crypt--  any    any     anywhere             anywhere
    4        0     0 ACCEPT     ipv6-auth--  any    any     anywhere             anywhere
    5        0     0 ACCEPT     udp  --  any    any     anywhere             224.0.0.251         udp dpt:5353
    6        0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:ipp
    7        0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    8        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:https
    9        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:http
    10       0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
    11       0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited
    As you can see, two new rules, rule#8 and rule#9 were added for HTTPS and HTTP service, respectively.

    Now, why were I able to use the HTTP and HTTPS services without rules #8 and #9 while I couldn't use the SSH service without rule #10 ?

    Thanks for any help in expanding my limited Linux networking knowledge.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •