ssh: no route to host

**thanhvn** · 06-28-2005

I'm running FC4 (2.6.11-1.1369) on both the local host and the remote host, and both are on the same network (192.168.0.xxx). The two hosts can ping each other but when I attempt to ssh from one host to the other I got the following error:

Code:

ssh&#58; connect to host 192.168.0.2 port 22&#58; No route to host

I checked that the sshd is running on the remote host I'm attempting to ssh to:

Code:

&#91;tnguy@localhost ~&#93;$ /etc/rc.d/init.d/sshd status
sshd &#40;pid 2462&#41; is running...

I also checked the settings of my router and it is not set up to block any services nor to do any port forwarding.

I have my firewall turned on, however. Here is my iptables:

Code:

&#91;root@localhost ~&#93;# iptables -L
Chain FORWARD &#40;policy ACCEPT&#41;
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain INPUT &#40;policy ACCEPT&#41;
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT &#40;policy ACCEPT&#41;
target prot opt source destination

Chain RH-Firewall-1-INPUT &#40;2 references&#41;
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt&#58;5353
ACCEPT udp -- anywhere anywhere udp dpt&#58;ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
&#91;root@localhost ~&#93;#

I don't want to turn off my firewall unless I absolutely have to. If anyone can point out which rule(s) in my iptables are causing the problem and how to modify those rules to allow ssh (without compromising the rest of the system security), I would appreciate that.

**serz** · 06-28-2005

Can you ssh to localhost on 192.168.0.2?

**IceBear** · 06-28-2005

My iptables:

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh

I think that you should open the ssh-port for incoming connections (modify your firewall settings and securelinux settings). You can use x-tools for this. Good luck!

**thanhvn** · 06-30-2005

I posted on another Linux site and a user helped me solve my problem by using the /usr/bin/system-config-securitylevel tool to configure my firewall. (Under gnome, run Desktop->System Settings->Security Level. On the Firewall Options tab, check the SSH box in the "Trusted Services" window.)

However, I have another related question. Here is my new iptables after enabling ssh service:

Code:

&#91;root@localhost ~&#93;# iptables -L -v --line-numbers
Chain FORWARD &#40;policy ACCEPT 0 packets, 0 bytes&#41;
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere

Chain INPUT &#40;policy ACCEPT 0 packets, 0 bytes&#41;
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere

Chain OUTPUT &#40;policy ACCEPT 0 packets, 0 bytes&#41;
num   pkts bytes target     prot opt in     out     source               destination

Chain RH-Firewall-1-INPUT &#40;2 references&#41;
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
2        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp any
3        0     0 ACCEPT     ipv6-crypt--  any    any     anywhere             anywhere
4        0     0 ACCEPT     ipv6-auth--  any    any     anywhere             anywhere
5        0     0 ACCEPT     udp  --  any    any     anywhere             224.0.0.251         udp dpt&#58;5353
6        0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt&#58;ipp
7        0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
8        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt&#58;ssh
9        0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

The only difference between this new iptables and the old one is the addition of one new rule in the RH-Firewall-1-INPUT chain:

Code:

8        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt&#58;ssh

Now, I can understand why this new rule is needed because the rule#1 and rule#7 in the RH-Firewall-1-INPUT chain do not apply, only packets coming into the loopback interface and packets belonging to an existing connection are accepted, respectively.

However, what I don't understand is that I've been browsing and purchasing stuff on the Internet and there are no rules for accepting new incoming HTTP and HTTPS packets !?

As a demonstration, I use the system-config-securitylevel tool to enable HTTP and HTTPS services in the firewall and my new iptables is:

Code:

&#91;root@localhost ~&#93;# iptables -L -v --line-numbers
Chain FORWARD &#40;policy ACCEPT 0 packets, 0 bytes&#41;
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere

Chain INPUT &#40;policy ACCEPT 0 packets, 0 bytes&#41;
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere

Chain OUTPUT &#40;policy ACCEPT 0 packets, 0 bytes&#41;
num   pkts bytes target     prot opt in     out     source               destination

Chain RH-Firewall-1-INPUT &#40;2 references&#41;
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
2        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp any
3        0     0 ACCEPT     ipv6-crypt--  any    any     anywhere             anywhere
4        0     0 ACCEPT     ipv6-auth--  any    any     anywhere             anywhere
5        0     0 ACCEPT     udp  --  any    any     anywhere             224.0.0.251         udp dpt&#58;5353
6        0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt&#58;ipp
7        0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
8        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt&#58;https
9        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt&#58;http
10       0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt&#58;ssh
11       0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

As you can see, two new rules, rule#8 and rule#9 were added for HTTPS and HTTP service, respectively.

Now, why were I able to use the HTTP and HTTPS services without rules #8 and #9 while I couldn't use the SSH service without rule #10 ?

Thanks for any help in expanding my limited Linux networking knowledge.

Thread Tools

Display

ssh: no route to host

Posting Permissions