PDA

View Full Version : Remote connection problem



pc recycler
3rd November 2004, 05:18 AM
I'm having problems connecting remotely to my box at home using an SSH client.

I've set a static ip to my Linux box 10.10.10.25. The box listens on port 22

I've configured my router to forward from the public port 10022 to that ip on to private port 22.

I've got a dynamic DNS where my WAN ip gets updated on a regular basis. I've checked and both IP match (DNS ip and current WAN ip).

I have no problem connecting locally on my LAN using the 10.10.10.25:22 address though.

Thoughts?

BiOPSY
3rd November 2004, 05:23 AM
Does your ISP stealth or block port 22?

crackers
3rd November 2004, 05:55 AM
Just as a check, what's the ssh command you use when external to the firewall?

pc recycler
3rd November 2004, 12:22 PM
BIOPSY, I don't know if my ISP blocks 22. That's why I was using 10022 as a public port and kept 22 internally. Dammit, this should be working...

pc recycler
3rd November 2004, 10:31 PM
I haven't installed the firewall on it. So that cannot be it. I tried forwarding port 22 instead of 10022 and it gave me the same results.

Would it be the forwarding that maybe Linux doesn't like? It works great internally on the LAN.

engwnbie
3rd November 2004, 10:36 PM
What IP address are you using from the external network?

pc recycler
3rd November 2004, 10:40 PM
Well, I use a DYNDNS client that updates my ip. I made sure that the domain ip and the WAN ip matched before posting. So, in other words, I would be using the one my ISP assigned me.

engwnbie
3rd November 2004, 10:53 PM
Sory I did not clearly read your first Post

engwnbie
3rd November 2004, 10:55 PM
Does your network answer on any other eg Http

engwnbie
3rd November 2004, 11:03 PM
I have done this on my system and works for me, but I'm not using a domain name I used the wan ip. What router are you using I don't understand the port forwarding you are using.

pc recycler
3rd November 2004, 11:27 PM
The domain name points to my WAN ip. So it's basically the same.

Public IP x.x.x.x:10022 forwards to Private IP 192.168.2.25:22

Other forwards work. I have an SMC Barricade 7004VBR with the latest firmware.

engwnbie
3rd November 2004, 11:35 PM
I know you already said it. It should work? SORY I don't know what else to say at this point.

h4d
4th November 2004, 12:01 AM
Have you tried pinging your machine from the outside? I guess it's a problem with your port forwarding. Temporarily set your machine (190.168.2.25) as a DMZ through the router and check. Make sure your firewall is open for the ports of interest. If not, go directly from your machine to you ISP (bypass the router) and check if it works that way. Just keep looking for where the packets are being dropped, so that you can focus on that...

you might want to have a friend outside your lan helping you through chat... "ping me now" kinda thing.....

jayemef
4th November 2004, 12:07 AM
Just as a check, what's the ssh command you use when external to the firewall?
Your problem might be here. What is the command you are using to connect with?

Pinging from the outside is also a good suggestion. Especially if you can get a friend to do it.

pc recycler
4th November 2004, 12:21 AM
Ping using Linux? Or any other OS?

Well, I could ping my domain that had the proper WAN ip associated to it at work today. I double checked when I got home.

I'm using an SSH client for Windows to connect to my box (www.ssh.com).

BTW, thanks for all the suggestions...

h4d
4th November 2004, 05:12 AM
pc recycler: any updates? was it fixed? and if so, what was the problem?

pc recycler
4th November 2004, 12:40 PM
Nah, same thing. I tried accessing Apache to try to isolate the problem to SSH. However, I got the same problem. I really don't understand it. Is there a rule in a file somewhere on FC2 that would stop the traffic from getting to those services? I mean, mapping a public port to a private one, and them not being the same, is common practice... I've done this multiple times for game servers on my Windows box. The only difference is that the private and public ports were the same. In this case they're not. Which shouldn't matter.

Initially, I had the public and private port inverted. And it didn't work either. Obviously.

pc recycler
4th November 2004, 12:45 PM
I've attached a portion of my router's ip forwarding tables....

engwnbie
4th November 2004, 08:40 PM
pc recycler
I'm using an SSH client for Windows to connect to my box (www.ssh.com).
I have never used this, and don't think it to be an issue. But I used Telnet on both win and linux. Now I use puTTy on win and dont have any problems.

engwnbie
4th November 2004, 08:58 PM
Hey one more I found on this thread http://www.fedoraforum.org/forum/showthread.php?t=25409
He talks at the end about a kernel problem.

pc recycler
4th November 2004, 10:15 PM
engwnbie, thanks for the heads up. I tried doing the command ssh -v machinename (on my LAN). Here is what came up:

OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 01:67:de:f1:18:64:d2:5c:cb:c7:7b:3b:9d:ac:b5:93.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
root@localhost's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: channel 0: request pty-req
debug1: channel 0: request shell
debug1: channel 0: open confirm rwindow 0 rmax 32768

Seems that there is some sort of problem... Again, I cannot connect on outside my LAN. Maybe this would be the cause?

Here is the output of my hosts.allow file:
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#

It has to be my setup. But, I still don't get it why I couldn't get access to Apache though.

engwnbie
4th November 2004, 11:54 PM
Can you access you http on your local network?

pc recycler
5th November 2004, 01:36 AM
Yes, I can access both. The message I just posted was accessing ssh on the LAN.

engwnbie
5th November 2004, 12:48 PM
When you are accessing you ip from external are you doing eg. http://yourdomain:10080 or how are you doing that?

engwnbie
5th November 2004, 12:58 PM
Hey one more thing where I work I would not be able to get out using a port as part of my address but I can access via http only. My work firewall blocks all ports. Also I spoke to one of the IT guys at work and he told me that using ddyns take a while to get you dns registered. Did you try http://yourip:10080?

pc recycler
5th November 2004, 03:44 PM
Yes, that is effectively what I'm doing... http://domain.com:10080 or http://domain.com:10022...

I've tried from various spots, at work, at the college where I take my course... no luck at any of those spots...

The domain in question had been registered for more than 48hours at that point. And i've been continuously testing ever since.

dpayne
5th November 2004, 07:48 PM
so whats the deal? have you figured it out? i have the same problem, but i fixed it before a long time ago.. i think it was an apache configuration thing?? i'm not doing it over ssl, just port 80, so it has nothing to do with that

pc recycler
5th November 2004, 09:29 PM
No, the problem still persists. I cannot connect to my SSH server at home thru the internet. Nor can I connect to Apache. In both cases, I forwarding ports 10080 and 10022, to 80 and 22 respectively.

I can connect to both from my LAN however.

I'm doing other port forwarding Bittorrents, etc to my main machine without any problems. I've also tried matching the incoming port to the private port of my Linux machine (ie. 22 --> 22 isntead of 10022 --> 22) And that still doesn't work.

I can ping my ip, obviously, but cannot connect using the mentionned ports.

engwnbie
5th November 2004, 10:40 PM
Pc recycler I don't know what is going wrong on your system but I just port forward port 22, 80, 23, 24 on my router and using a win box I had no problem what so ever browsing my web page that I'm playing around with on my fc2 box. Also with hyperterminal I was able to log in to my fc2 box on port 22 (ssh) and port 23 (I believe rlogin) I did not try port 24 but I'm sure it would have also worked. My fc2 box is pretty much standard not too much tweaking. Obviously the services I want are turned on.

pc recycler
6th November 2004, 12:21 AM
egnwnbie, I know what your saying. On the LAN, it's perfect. It's when I try to get at it from the internet.... I should just re-install I think :)

crackers
6th November 2004, 05:59 AM
The problem will probably still be there if you re-install. Re-installing the complete system because one part of it is not working (and it might be something with your lan or router config) is pretty much a waste of time.

I noticed above that you had typed "http://domain:10022" - that's not how you access your SSH port. Try this:


ssh -p 10022 user@domain

engwnbie
6th November 2004, 11:11 AM
egnwnbie, I know what your saying. On the LAN, it's perfect. It's when I try to get at it from the internet.... I should just re-install I think :)
No what I'm saying is that I tried my settings over the internet and it worked fine. I don't understand why yours doesn’t work? Looks like you are setting it up right. Crackers has a point, but the domain:10080 should have worked. I tried ssh port using hyperterminal and was able to log on. Do not know if it is one of your config files, or I do have all the latest updates on my system. No I do remember trying all this when I first installed fc2 and it worked then, but I did not try ssh over the internet. I'm confused right now?

pc recycler
6th November 2004, 03:01 PM
The problem will probably still be there if you re-install. Re-installing the complete system because one part of it is not working (and it might be something with your lan or router config) is pretty much a waste of time.

I noticed above that you had typed "http://domain:10022" - that's not how you access your SSH port. Try this:


ssh -p 10022 user@domain


I'm using SSH Client to connect to my box, is there an area where I can specify this exact syntax? In the client, I do put 10022 in the port textbox.

In my case, the system has been installed only a few weeks ago and is barely configured. Plus, I'm a newbie at Linux so re-installing is still a viable option for me! LOL

I'll be online for a bit... anyone want to IM me about this? We could do some basic IP/Network tests...

dpayne
6th November 2004, 09:38 PM
did you change the html directory from /var/www/html?

pc recycler
7th November 2004, 12:25 AM
dpayne, I'm using the stock install. Like I said, on the LAN it's okay. Thru the internet it doesn't work.