OK we have an Ubuntu server at my college and I'm setting up ec2 for our students to use their own instances so they can be root without giving them root on our machine. They all have existing accounts on said Ubuntu server. My plan is to put all the ec2 .pem keys on that machine so the students will first login to our server then from their log into their personal ec2 instances via the .pem keys stored on the schools machine. This is all pretty irrelevant but what I have noticed on this server is while it receive ssh connections it cannot connect with an outbound ssh request to ec2 or any other known working machine. It can't even ssh into itself so that tells me ssh config or something local on that machine is not allowing outgoing ssh connections. Where can I look for how this is being locked out. I have permissions so I'm not circumventing anything it's just I'm not the person who set this server up yet i'm the one who needs to get it working to connect to ec2 instances. I don't have permission to know their whole network with my work/study status but have been assured that it's not being blocked by the gateway or other security device but i can't check that personally so I have to take their word on that. So where can an Ubuntu server be configured to exhibit this behavior of blocking outbound ssh requests. I know about ssh config file but i Don't know which flag would do this or if there is a system profile besides ssh config that could block ssh outbound while allowing sshd to still listen and accept connections.

can we say runonsentanceparagraphthing.... OMG paragraphs are you friend.

1. Just to be clear you are able to ssh into your Ubuntu server, but not able to ssh out is that correct?

2. If you are able to ssh OUT from the Ubuntu server but not to the ec2 clouds that you are setting up as VMs, then it is a networking issue within your VM software and internal routing within the VM and the host OS.

3. If you are unable to ssh OUT of the Ubuntu server to anyplace, then it is either blocked locally on the server, check iptables or ip6tables, or it is blocked at the router/firewall of the University. If it is the later your network admin will have to address that issue. If its just iptables/ip6tables then you can make that adjustment as long as you have permission.

I hope that is a start.

Sorry about the babble but I tend to do that when using a touch-screen mobile device.
The answer is I can't ssh out anywhere from the Ubuntu server. I can connect to ec2 from other machines so that's fine.
I will look at the IP tables since I don't have permission to touch the firewall/routers. However I was told they were set to allow outbound traffic such as ssh but I can't confirm that personally.
Just to be clarify first. If there is an explicit deny rule and I create an explicit allow rule with the following commands will it work.

you would want something like the following:

This allows some basic connections to include port 22 while blocking what you dont need to worry about anyways. can you copy/paste the entire dialog you are getting from the server when you attempt to ssh out? This does not sound like an iptables issue if you can get into the server but just can not get out. that sounds like something else is going on like open-ssh client not running or being installed. keeping in mind that sshd and open-ssh are not the same thing.

idk who configured this ubuntu server but the IT dept at my school fears linux and are not shy to say they don't know anything about it. thats kinda why i ended up doing this since i atleast use linux as my main desktop at home. the only reason they even have it is for the one unix class the school has otherwise it wouldn't exist. it just runs in the dmz so students can have a non-admin account to practice shell commands and scripting.
the reason i say this is because somehow iptables is not installed and it's ubuntu 10. yes i know this is crazy because it comes with iptables out of the box and sometimes ufw to manage it instead of using iptables commands but when i run either command it says they are not installed. i can't imagine they purposely uninstalled it but it's gone so this isn't iptables issue i guess.
as for openssh it is installed because "which ssh" shows the path plus the command runs. the output with the output of ssh -v with the correct info to access remote machines gives the following.
the series of *'s is just to obfuscate the ip address

note:
reimnder that the connection is not being refused by the remote machine because every other machine can ssh into it. also i get the same output as above trying to access any machine from this ubuntu server not just the one i printed output for. even using ssh on itself returns that output.
here is the ssh_config file
DOES IT JUST NEED TO BE UNCOMMENTED SOMEWHERE?

http://www.howtogeek.com/115116/how-...t-in-firewall/

https://help.ubuntu.com/10.04/server...sh-server.html

you are faced with one of the main reasons i avoid Canonical. they just dont do things the standard Linux way and they break far to much IMHO.

Try those links to see if that helps.

Hmmm. If the remote TCP/22 wouldn't be open you'd get "Connection timed out" and if the remote would be wrong you'd get "No route to host" so "Connection refused" IMHO really means just that: connection refused. In addition to what Lleb posted I'd like to see a 'ssh' but with -vvv and since you have access to the remote host via other IP addresses do check its sshd log, /etc/hosts.{deny,allow}, /etc/ssh/sshd_config, firewall messages and ~/.ssh/authorized_hosts.

I have all incoming allowed on that remote host but don't forget I get this same connection refused no matter where I'm trying to ssh into so it's not a hosts allowed/denied thing. I know it sounds like just that but it's not. I get connection refused when trying to ssh into itself via it's IP address but not 127.0.0.1 this tells me its a firewall or router.

BTW that output I added above is the exact same with -vvv so nothing is really happening other than what you saw already. This also hints that its a network device blocking the communication even though the syntax uses the remote machine IP in the output it is not reaching that remote machine.

I'm thinking I can't take IT's word for it that it's not being blocked by a network device. I work for the computer dept as a student but there is also an IT dept at the school. I can work on devices and computers the comp sci dept owns but IT is in controlled of the infrastructure and even the head of comp sci dept can't just go manage their firewalls and routers. I have the dept heads permission to do the following to test and see if it's being blocked by a device. Take my laptop in to school and spoof the MAC in case there is MAC filtering on the switch and change the IP also to the trouble machines and see if I get the same issue since I know my laptop works otherwise. If I get the same error and go to IT and tell them it is their device because I tested with a know device and it still is being refused. Know this sounds weird but I can't just use something to monitor network packets on their network but he's cool with me switching out the machines.