[SOLVED] ssh connection timed out when connecting from outside my LAN

me.tbone · 07-04-2012, 03:38 PM

Hello everybody,

I can not connect to my server over ssh from outside of my LAN.

Inside the LAN everything works perfectly. My firewall (iptables) is currently open for testing purposes as least as I can say with my little knowledge, my router is configured for port forwarding of port 22 and I can ping my dyndns hostname from the internet and it gives me the right IP.

Asking my ISP (Kabel BW, Germany) I have been told, no incoming or outgoing port is blocked by them (Can I trust their hotline? Who knows. Maybe we can find out together.)

Also I have similar trouble with a ftp server running on the same server where I can connect locally but not over the external address. Seems to me there is a general network config problem. But which?

I am at the end of what I can do or look into and need another pair of eyes on this.

This is my configuration (WAN stuff anonymized a little bit):

Debian Server (192.168.178.53, OpenSSH on port 22) => Router (Fritz!Box, 192.168.178.1, XXXXX.selfhost.me as dyndns hostname) => DSL Cable Modem (Provider is Kabel BW, ip is currently 95.208.xxx.xxx)
Client ip is 192.168.178.151 assigned with DHCP also hanging on the fritz!box over WLAN. The firewall of the client has also been shut down for the tests.

Following are some relevant outputs I get - If you miss anything helpful, just tell me:

ssh connects perfectly from inside the LAN:

Code:

# ssh me@192.168.178.53
Enter passphrase for key '/home/me/.ssh/id_rsa':
Linux [myserverhostname] 2.6.32-5-686 #1 SMP Sun May 6 04:01:19 UTC 2012 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Wed Jul  4 14:48:52 2012 from [myclienthostname]

.. but from the outside:

Code:

# ssh -vvv XXXXX.selfhost.me
OpenSSH_5.5p1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/me/.ssh/config
debug2: ssh_connect: needpriv 0
debug1: Connecting to XXXXX.selfhost.me [95.208.xxx.xxx] port 22.
debug1: connect to address 95.208.xxx.xxx port 22: Connection timed out
ssh: connect to host XXXXX.selfhost.me port 22: Connection timed out

This is the client ssh config:

Code:

Host [myserverhostname]
HostName XXXXX.selfhost.me
User me
Port 22

ForwardAgent yes
ForwardX11 yes

The port forwarding config of my router (yes, I know TCP should do it for ssh):

Code:

Aktiv Caption 	Protokoll 	Port 	to IP-Address 	to Port 	  	 		
SSH TCP	TCP 	22 	192.168.178.53 	22 		
SSH UDP 	UDP 	22 	192.168.178.53 	22

The server has only one network adapter eth0:

Code:

# ifconfig
eth0      Link encap:Ethernet  Hardware Adresse 00:90:XX:XX:XX:XX
          inet Adresse:192.168.178.53  Bcast:192.168.178.255 Maske:255.255.255.0

and the hosts files look correct to me:

Code:

#cat /etc/hosts.allow
ALL: LOCAL, .de, .ch, .me

the hosts.deny file is empty.

nmap gives me:

Code:

#nmap 192.168.178.53 -p22

Starting Nmap 5.21 ( http://nmap.org ) at 2012-07-04 20:12 Mitteleuropõische Som
merzeit
Nmap scan report for 192.168.178.53
Host is up (0.0046s latency).
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:90:XX:XX:XX:XX

Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds

#nmap XXXXX.selfhost.me -p22

Starting Nmap 5.21 ( http://nmap.org ) at 2012-07-04 20:14 Mitteleuropõische Sommerzeit
Nmap scan report for XXXXX.selfhost.me (95.208.xxx.xxx)
Host is up (0.0055s latency).
rDNS record for 95.208.xxx.xxx: HSI-KBW-095-208-xxx-xxx.hsi5.kabel-badenwuerttemberg.de
PORT   STATE    SERVICE
22/tcp filtered ssh

Nmap done: 1 IP address (1 host up) scanned in 1.20 seconds

but my firewall should be open:

Code:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp
ACCEPT     tcp  --  anywhere             anywhere            tcp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp
ACCEPT     udp  --  anywhere             anywhere            udp

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp
ACCEPT     udp  --  anywhere             anywhere            udp

the route command output (I have not enough knowledge to interpret this):

Code:

# route -n
Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
192.168.178.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.178.1   0.0.0.0         UG    0      0        0 eth0

es0teric · 07-05-2012, 11:35 AM

Your ISP could be blocking 22. Try changing SSH to a lesser-used, high port number and perhaps that will work.

z3nl4k1n · 07-08-2012, 07:21 PM

I am having the same issue where I can't connect over the internet to my SSH server. I am using my public IP address and I have a freshly built Ubuntu 12.04 system. Nothing is configured for iptables, SSH is running on port 22 and I am forwarding port 9999 -> 22 on my Linksys E4200 router to the IP address of my system that is running the SSH server.

me.tbone · 07-11-2012, 01:40 AM

This is solved. Connecting to my ssh already worked if connecting from the Internet/WAN.

A friend of mine had the idea to check it with some online web site ssh clients.(shame over me, I did not try this earlier).
First try and - SUCCESS!

So for everybody who really wants to check connections from outside the LAN: Try it from the outside. There are websites with clients for most of the stuff (also port scanners that scan from outside the LAN).

What I still do not understand (and maybe that's a newbie question but I wanna learn), is the following behaviour:

The dyndns XXXXX.selfhost.me address resolves to 95.208.xxx.xxx correctly - regardless if I ping from inside the LAN or from the outside (and that fooled me).
Also I can connect to ssh by using XXXXX.selfhost.me and port 22 from outside the LAN - OR - by using the local ip 192.168.178.53 and port 22 from inside the LAN.
But if I try to connect to ssh port 22 on 95.208.xxx.xxx from inside the LAN I get a timeout and cannot connect.

Why is this? If the external ip address 95.208.xxx.xxx is used from inside the LAN, shouldn't every packet be routed over the WAN/Internet so it won't make any difference?

If anybody could explain this to me, I would be glad.

But I am happy anyway as it already works. Thank You for trying to help!

@es0teric: I tried it with no success. But I have a workaround to be able to test it from the outside (using an online ssh client web site).

@z3nl41n: Try to connect from any online ssh client on some website. This is the only way I know (by now) that you can check connection done over your WAN IP.

Peter Clark · 07-11-2012, 09:53 AM

It's probablly the NAT router that's doing it. Your server's on the 192.168.178 network. Your firewall or router is 95.208.x.x on the WAN and 192.168.178 on the LAN with a port-forward that it processes when it detects an inbound packet to the WAN IP from the WAN port. Since your connection is originating from the LAN side it's probably dropping it. From the inside of the firewall/NAT device you need to connect to the 192.168.178 IP of your server.