New ISP / modem... Unable to connect to ssh server (or ping) remotely
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
New ISP / modem... Unable to connect to ssh server (or ping) remotely
Tried turning firewall off, i tried port forwarding tcp port 22, but it still doesn't work. Also am unable to ping modem over WAN, i can ping the modem locally though. Tech support claims pinging and ssh is not part of the internet so they wont support it in any way. Any ideas?
It's likely your ISP is blocking port 22 and ICMP inbound. You can try a couple of things:
- Port forward some random high port (port 51326, for example) from your router/modem into your SSH server, still running on port 22. Your ISP is probably not blocking every inbound port. You can then try to connect like this from the outside:
Code:
ssh -p 51326 <modem/router external IP address>
- Use a reverse SSH tunnel to get around the port block. A good tutorial on that is here:
but it relies on an intermediate SSH server that you have access to from your LAN. This will always work if you can manage it, because your ISP won't block port 22 outbound from your LAN, which is what the connection will look like to them.
It's likely your ISP is blocking port 22 and ICMP inbound. You can try a couple of things:
- Port forward some random high port (port 51326, for example) from your router/modem into your SSH server, still running on port 22. Your ISP is probably not blocking every inbound port. You can then try to connect like this from the outside:
Code:
ssh -p 51326 <modem/router external IP address>
- Use a reverse SSH tunnel to get around the port block. A good tutorial on that is here:
but it relies on an intermediate SSH server that you have access to from your LAN. This will always work if you can manage it, because your ISP won't block port 22 outbound from your LAN, which is what the connection will look like to them.
Where did you disable the firewall? SSH server? Modem? Router?
What type of modem do you have? Does it route/NAT or bridge (What device gets assigned the public IP)?
ICMP and SSH are definitely two services that are typically blocked by "out-of-the-box" routers (and/or modems, depending) and I'm thinking the problem lies within your local configuration on one of these devices.
It would be pretty shady for an ISP to block port 22, and almost unfeasible for them to block ICMP (entirely anyway).
{nsel}[firewall chain]=>list
Chains
======
Name Policy Description
----------------------------------------------------------------------------------
sink accept system
forward accept system
source accept system
sink_fire accept system
forward_fire accept system
source_fire accept system
sink_system_service accept system
source_system_service accept system
forward_level accept system
forward_host_service accept system
forward_multicast accept system
forward_level_Disabled accept user
on my host, my iptables is the following:
Code:
]# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- speedtouch.lan anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- speedtouch.lan anywhere
ACCEPT all -- anywhere anywhere
LSI udp -- anywhere anywhere udp dpt:33434
LSI icmp -- anywhere anywhere
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere 192.168.1.255
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
LSI all -f anywhere anywhere limit: avg 10/min burst 5
INBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Input'
Chain FORWARD (policy DROP)
target prot opt source destination
LSI udp -- anywhere anywhere udp dpt:33434
LSI icmp -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Forward'
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- island-of-nowhere.lan speedtouch.lan tcp dpt:domain
ACCEPT udp -- island-of-nowhere.lan speedtouch.lan udp dpt:domain
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
OUTBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Output'
Chain INBOUND (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
LSI all -- anywhere anywhere
Chain LOG_FILTER (5 references)
target prot opt source destination
Chain LSI (6 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
DROP all -- anywhere anywhere
Chain LSO (0 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
This, to my understanding, should forward all requests through anywhere on either host or modem. Please correct me if I am wrong. I am going to try the above, the output is the following:
Code:
#ssh -p 51326 `ipnow`
ssh: connect to host [<my external ip> port 51326: Connection refused
ipnow is a script that resolves my external IP address.
If I try this using port 22 as usual on the other hand I get a connection timed out error.
Tried turning firewall off, i tried port forwarding tcp port 22, but it still doesn't work. Also am unable to ping modem over WAN, i can ping the modem locally though. Tech support claims pinging and ssh is not part of the internet so they wont support it in any way. Any ideas?
ping and ssh are not part of the internet? That tech support is awful.
Quote:
I'll remember to not bother next time, I ended up getting my answer elsewhere.
Care to share the answer you didnt receive here,.. because you tried hijacking a thread?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
