LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-26-2010, 07:45 AM   #1
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,027

Rep: Reputation: 69
A question about listening interfaces on ssh...


In my sshd_config file I have the following

Code:
ListenAddress 0.0.0.0
Does this mean that all of my network interfaces are listening as opposed to just one specific network interface? Would 0.0.0.0 include 127.0.0.1?

Also, this computer(A) is on a LAN at my house. It has two network interfaces(eth0 & eth1), both on different subnets. I can connect from another computer(B) on my LAN to this one on one interface(eth0) via SSH just fine. The other interface(eth1) on this computer is hooked up to it's own gateway to the internet using DSL. I'm using this interface(eth1) for running bind.

Anyhow, here's my issue. When using a computer(C), which is a hosted VM , from outside my LAN, to connect to computer(A) via SSH, I get connection refused. So I checked my hosts.deny & hosts.allow files, both empty. I run nmap from computer C and SSH comes up as closed. So I'm thinking it's a firewall issue. Here's what my iptables -L looks like:
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere            tcp dpt:ssh
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
I've been meaning to learn more about iptables, but which chain is for which network interface? I have also tried running nmap from computer(C) to test bind out on tcp 53 that comes up closed. I run udp 53 and that comes up as closed but then again udp is funny because it's stateless. If I run netcat on udp port 53 from computer C I get a blank line as if it's still running. However, I get that for all other ports anyways so that's of no use.

Unless my AT&T DSL is blocking those ports. But if that were the case would the error 'Connection refused' come up when I try to connect via SSH?

What other tests can I run to troubleshoot?

Last edited by trist007; 06-26-2010 at 07:48 AM.
 
Old 06-26-2010, 08:25 AM   #2
blue_print
Member
 
Registered: May 2010
Location: In world
Distribution: RHEL, CentOS, Ubuntu
Posts: 275
Blog Entries: 3

Rep: Reputation: 50
Can you try opening the SSH port in the iptables?

http://www.cyberciti.biz/faq/linux-o...ll-port-22-23/
 
Old 06-26-2010, 08:32 AM   #3
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,027

Original Poster
Rep: Reputation: 69
Don't I already have it under Chain RH-Firewall-1-INPUT second from the last entry? Isn't that it? Anyhow, I added that line before commit as shown in that link you sent me and I still get the same iptables -L output. Same issue.
 
Old 06-26-2010, 08:40 AM   #4
blue_print
Member
 
Registered: May 2010
Location: In world
Distribution: RHEL, CentOS, Ubuntu
Posts: 275
Blog Entries: 3

Rep: Reputation: 50
Cab you paste the list of firewall rules, you are having in /etc/sysconfig/iptables?
 
Old 06-26-2010, 03:42 PM   #5
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,027

Original Poster
Rep: Reputation: 69
Sure here it is.
Code:
# Generated by iptables-save v1.3.5 on Wed Jun 23 15:55:03 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [33541:3061023]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Wed Jun 23 15:55:03 2010

Last edited by trist007; 06-26-2010 at 03:47 PM.
 
Old 06-27-2010, 10:37 AM   #6
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,027

Original Poster
Rep: Reputation: 69
Oh man, figured it out. I guess my power went out at my apartment and my DSL modem turned off and then back on and then got assigned a new public IP. I was testing it from outside the LAN to an IP that wasn't my computer. When it doubt, the obvious is usually the cause.

I have question though about iptables. In this case, what's the difference between RH-Firewall-1-INPUT and CHAIN RH-Firewall-1-INPUT. Just like if in iptables I insert a rule such as this one
Code:
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
It will go under RH-Firewall-1-INPUT.
However if I insert a rule such as this one
Code:
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
It will go under Chain RH-Firewall-1-INPUT. These are the same right? Just different groups for organizational purposes?

Last edited by trist007; 06-27-2010 at 10:42 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with ssh listening address cK` Linux - Newbie 6 04-07-2010 06:33 PM
SSH tunnel only listening on loopback device. Should also listen on eth0 paranoid times Linux - Networking 3 02-10-2009 03:20 PM
Howto do Secured ssh from port https or port80(standard) to ssh d listening port 22 ? Xeratul Linux - General 4 11-23-2006 07:09 AM
Help! ssh to home desktop is listening but not accepting password vrooje Linux - General 10 01-02-2005 09:22 PM
ssh listening on port 22 sharpie Linux - Security 9 06-08-2004 04:28 PM


All times are GMT -5. The time now is 08:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration