LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Fedora 10/unable to ssh out from box to remote host (SSH within LAN ok) (http://www.linuxquestions.org/questions/linux-networking-3/fedora-10-unable-to-ssh-out-from-box-to-remote-host-ssh-within-lan-ok-718193/)

huskeypm 04-10-2009 08:20 AM

Fedora 10/unable to ssh out from box to remote host (SSH within LAN ok)
 
Hi
I have a box (boell) running Fedora 10 sitting behind a firewall at school. I am able to freely ssh to and from this box to other computers (minion) within that lan. Outside of this network I cannot directly ssh to boell - I must ssh first to minion, then I can ssh to boell.

I've spoken with the sysadmin and he's verified that the firewall permits ssh freely - i haven't had any issues like this with other boxes of mine there, so this isn't any surprise.

I have verified that the hosts.deny file is blank, iptables permits ports 22 (and 80) and I didn't see anything obvious in the sshd_config. I tried a tcp dump on the external host and boell while attempting to ssh from the former to boell. The packets appear to be acknowledged by boell, but this fails to lead to a connection. I've tried this process with external hosts in different locations with the same result. I have made few modifications to the default installation for F10, so perhaps there is some default somewhere I have to change. In any case, below I have attached excerpts of germane files. Thanks so much for your help! (a propos: web access to this host does not work outside the network either)

Thanks so much in advance!

======== ssh from boell =======
[root@boell log]# ssh -vvv 71.189.5.67
OpenSSH_5.1p1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 71.189.5.67 [71.189.5.67] port 22.
========= from boell ==========
IP 71.189.5.67.33360 > 131.215.26.174.ssh: S 2370375559:2370375559(0) win 5840 <mss 1460,sackOK,timestamp 54064643 0,nop,wscale 7>
IP 131.215.26.174.ssh > 71.189.5.67.33360: S 3658987087:3658987087(0) ack 2370375560 win 5792 <mss 1460,sackOK,timestamp 367434590 54064643,nop,wscale 5>
IP 71.189.5.67.33360 > 131.215.26.174.ssh: S 2370375559:2370375559(0) win 5840 <mss 1460,sackOK,timestamp 54067643 0,nop,wscale 7>
IP 131.215.26.174.ssh > 71.189.5.67.33360: S 3658987087:3658987087(0) ack 2370375560 win 5792 <mss 1460,sackOK,timestamp 367437590 54064643,nop,wscale 5>
IP 131.215.26.174.ssh > 71.189.5.67.33360: S 3658987087:3658987087(0) ack 2370375560 win 5792 <mss 1460,sackOK,timestamp 367438591 54064643,nop,wscale 5>
IP 131.215.26.174.ssh > 71.189.5.67.33364: S 3020307521:3020307521(0) ack 2326027555 win 5792 <mss 1460,sackOK,timestamp 367440791 54024440,nop,wscale 5>
IP 71.189.5.67.33360 > 131.215.26.174.ssh: S 2370375559:2370375559(0) win 5840 <mss 1460,sackOK,timestamp 54073643 0,nop,wscale 7>
IP 131.215.26.174.ssh > 71.189.5.67.33360: S 3658987087:3658987087(0) ack 2370375560 win 5792 <mss 1460,sackOK,timestamp 367443590 54064643,nop,wscale 5>
IP 131.215.26.174.ssh > 71.189.5.67.33360: S 3658987087:3658987087(0) ack 2370375560 win 5792 <mss 1460,sackOK,timestamp 367444591 54064643,nop,wscale 5>
IP 131.215.26.47.ssh > 131.215.26.130.47342: S 1711781731:1711781731(0) ack 1695504191 win 5792 <mss 1460,sackOK,timestamp 953536177 1967705210,nop,wscale 0>
IP 71.189.5.67.33360 > 131.215.26.174.ssh: S 2370375559:2370375559(0) win 5840 <mss 1460,sackOK,timestamp 54085643 0,nop,wscale 7>
IP 131.215.26.174.ssh > 71.189.5.67.33360: S 3658987087:3658987087(0) ack 2370375560 win 5792 <mss 1460,sackOK,timestamp 367455589 54064643,nop,wscale 5>
IP 131.215.26.174.ssh > 71.189.5.67.33360: S 3658987087:3658987087(0) ack 2370375560 win 5792 <mss 1460,sackOK,timestamp 367456791 54064643,nop,wscale 5>

========= from nietzsche ==========
IP 10.1.1.2.43461 > 131.215.26.174.ssh: S 2370375559:2370375559(0) win 5840 <mss 1460,sackOK,timestamp 54064643 0,nop,wscale 7>
IP 10.1.1.2.43461 > 131.215.26.174.ssh: S 2370375559:2370375559(0) win 5840 <mss 1460,sackOK,timestamp 54067643 0,nop,wscale 7>
IP 10.1.1.2.43461 > 131.215.26.174.ssh: S 2370375559:2370375559(0) win 5840 <mss 1460,sackOK,timestamp 54073643 0,nop,wscale 7>
IP 10.1.1.2.43461 > 131.215.26.174.ssh: S 2370375559:2370375559(0) win 5840 <mss 1460,sackOK,timestamp 54085643 0,nop,wscale 7>


========== iptables boell =========
[root@boell huskeypm]# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

========= hosts.deny ========
### this file is blank

========= /etc/ssh/sshd_config on boell ============
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
AddressFamily inet
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

MensaWater 04-10-2009 09:45 AM

Inside VLAN OK - Outside VLAN not. This immediately suggests you have a routing issue.

Run "netstat -r" (and netstat -rn to see numeric) to determine what your routing looks like. If you have multiple NICs it may be you need to change your default route fro the gateway for the VLAN you can reach to a gateway on the other NIC then create a route for the VLAN.

huskeypm 04-10-2009 11:29 AM

netstat
 
Thanks for your response! I'm not sure how I would determine if there's a routing issue based on the netstat output. Here it is for boell (the trouble maker) and nietzsche (the 'external' host)

[huskeypm@nietzsche ~]$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 eth0

[root@boell huskeypm]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
131.215.26.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 131.215.26.1 0.0.0.0 UG 0 0 0 eth0

Just to further suggest I don't know what I am doing, I have included a traceroute, which shows that things hang at caltech somewhere

[huskeypm@nietzsche ~]$ traceroute pkh.caltech.edu
traceroute to pkh.caltech.edu (131.215.26.174), 30 hops max, 40 byte packets
1 10.1.1.1 (10.1.1.1) 0.466 ms 0.419 ms 0.631 ms
2 dslrouter.westell.com (192.168.1.1) 8.347 ms 8.568 ms 8.790 ms
3 L100.DSL-11.LSANCA.verizon-gni.net (71.107.248.1) 155.926 ms 156.133 ms
56.357 ms
4 P1-0.LCR-04.LSANCA.verizon-gni.net (130.81.34.254) 156.582 ms 156.798 m
157.018 ms
5 so-6-1-2-0.BB-RTR2.LAX01.verizon-gni.net (130.81.28.229) 157.239 ms 157
4 ms 158.437 ms
6 0.so-2-1-0.XT2.LAX7.ALTER.NET (152.63.10.149) 183.398 ms 88.803 ms 35.
ms
7 POS7-0.BR2.LAX7.ALTER.NET (152.63.112.149) 242.975 ms 243.171 ms 243.3
ms
8 p64-5-0-1.r20.lsanca03.us.bb.gin.ntt.net (129.250.8.69) 243.617 ms 245.
ms 245.557 ms
9 po-1.r00.lsanca03.us.bb.gin.ntt.net (129.250.5.254) 243.784 ms 244.009
244.235 ms
10 198.172.117.163 (198.172.117.163) 244.710 ms 244.930 ms 245.654 ms
11 ln-usc3-citusc2037.ln.net (130.152.181.188) 245.879 ms 246.092 ms 247.
ms
12 cit2-vlan2003.ln.net (130.152.181.60) 262.031 ms 35.846 ms 244.210 ms
13 BI-RSW.ilan.caltech.edu (131.215.254.15) 244.407 ms 244.630 ms 244.848

14 * * *
15 * * *

huskeypm 04-14-2009 07:37 PM

dumb mistake
 
I had put the incorrect IP for the gateway after all this.

I found this out by doing
[root@boell ~]# route -n

This explains the weird tcpdump acknowledgment behavior


All times are GMT -5. The time now is 02:51 PM.