LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-14-2007, 01:47 AM   #1
davhak
LQ Newbie
 
Registered: Nov 2006
Posts: 22

Rep: Reputation: 15
SSH Connection timed out


Dear All,

I have Fedora Core 6. When try to ssh to any machine on the local network (or even to itself) the ssh gets connection timed out. This problem disappears when I allow all incoming tcp/udp in iptables:
-A INPUT -p tcp -m tcp -j ACCEPT
-A INPUT -p udp -m udp -j ACCEPT

but when I set a rule to allow only port 22 for ssh I get connection timed out. That is
-A INPUT -p tcp -m -tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m -udp --dport 22 -j ACCEPT

does not work. With netstat -nlt I can see the following line:
tcp 0 0 :::22 :::* LISTEN
so I guess the port 22 is open. I know that ssh is listening to port 22 because when I allow all tcp/udp I can connect from another computer using port 22.

Does anyone know the cause of the problem ?
Thanks very much for any help.
 
Old 03-14-2007, 01:56 AM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
First off, SSH never uses UDP, only TCP. (It requires a reliable transport mechanism). Secondly, I'm not sure what the -m -tcp is supposed to do. The only rule I use is "iptables -A INPUT -p tcp --dport 22 -j ACCEPT".
 
Old 03-14-2007, 02:36 AM   #3
davhak
LQ Newbie
 
Registered: Nov 2006
Posts: 22

Original Poster
Rep: Reputation: 15
Thank you very much for your reply.

-m tcp means match tcp.

I followed your advice, but

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

still does not work. When I do "service iptables stop", the ssh starts to work. So the problem is that probably some additional port is used for ssh. When I do

lsod -i :22

it gives

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 3784 root 3u IPv6 9867 TCP *:ssh(LISTEN)

So I guess port 22 is open but SSH still not working.
 
Old 03-14-2007, 06:35 AM   #4
davhak
LQ Newbie
 
Registered: Nov 2006
Posts: 22

Original Poster
Rep: Reputation: 15
I would like to add that opening tcp ports from 30000 to 40000 in iptables rules, sometimes makes SSH to work. Is it possible that SSH depends on some service with random port assignment ?

Thanks for any help.
 
Old 03-14-2007, 07:07 AM   #5
mehdi.sadighian
LQ Newbie
 
Registered: Mar 2007
Posts: 10

Rep: Reputation: 1
Ssh Connection Through Firewall

IF YOU WANT TO MAKE A SSH CONNECTION TO FEDORA BOX WRITE THIS COMMANDS IN YOUR FIREWALL SCRIPT OR COMMAND LINE:

iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 22 -j ACCEPT

THE FIRST LINE ALLOWS INCOMING CONNECTIONS TO 22 TCP PORT AND THE SECOND LINE ALLOWS OUTGOING RESPONSE TO SSH CONNECTION FROM 22 TCP PORT.

GOOD LUCK.
 
Old 03-15-2007, 01:08 AM   #6
davhak
LQ Newbie
 
Registered: Nov 2006
Posts: 22

Original Poster
Rep: Reputation: 15
Thank you very much for your help.

However for some strange reason opening port 22 is not enough for SSH to work. In my iptables OUTPUT is set to ACCEPT everything. For INPUT the port 22 is open. But I also need to open ports from 30000 to 40000 for SSH to work.

I suspect some service is not allowing SSH to work properly.
 
Old 03-15-2007, 03:55 AM   #7
theNOC
LQ Newbie
 
Registered: Feb 2007
Location: Czech Republic
Distribution: Ubuntu,Gentoo,FreeBSD,AIX
Posts: 8

Rep: Reputation: 0
hello...you have tried to see what rules have you on firewall?...try iptables -L or iptables -L | grep ssh and try to find what rules have you on iptables configuration for ssh protocol, You have 2 network adapters? Can you connect via ssh on WAN?
 
Old 03-16-2007, 12:28 AM   #8
davhak
LQ Newbie
 
Registered: Nov 2006
Posts: 22

Original Poster
Rep: Reputation: 15
I have 1 NIC in the PC and the following rules in iptables.

Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# ALLOW lo for local services to work
-A INPUT -s 127.0.0.1 -j ACCEPT
# FOR NFS
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
# FOR PORTMAP
-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m udp --dport 111 -j ACCEPT
# FOR NFS SERVER (MOUNTD)
-A INPUT -p tcp -m tcp --dport 33777 -j ACCEPT
-A INPUT -p udp -m udp --dport 33777 -j ACCEPT
# FOR NFS SERVER (STATD)
-A INPUT -p tcp -m tcp --dport 4777 -j ACCEPT
-A INPUT -p udp -m udp --dport 4777 -j ACCEPT
# FOR NFS SERVER (LOCKD)
-A INPUT -p tcp -m tcp --dport 4888 -j ACCEPT
-A INPUT -p udp -m udp --dport 4888 -j ACCEPT
# FOR NFS SERVER (RQUOTAD)
-A INPUT -p tcp -m tcp --dport 4999 -j ACCEPT
-A INPUT -p udp -m udp --dport 4999 -j ACCEPT
# FOR SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
I also tried
Code:
-A INPUT -p tcp --dport 22 -j ACCEPT

but the problem is still there. Unless I allow some wide range of INPUT ports the SSH does not work (I cannot connect to any computer including itself) and I get "SSH port 22. Connection timed out".
 
Old 03-16-2007, 05:01 AM   #9
theNOC
LQ Newbie
 
Registered: Feb 2007
Location: Czech Republic
Distribution: Ubuntu,Gentoo,FreeBSD,AIX
Posts: 8

Rep: Reputation: 0
Hello! You have try and iptables -A INPUT -p tcp --dport ssh -j ACCEPT ? you have blocked alot of ports; try to put the DROP rules at the end of the script, and then try from console "netstat -tcp" and "netstat | grep ssh" to see what local port need to be open...on my linux computers ssh protocol use from Local Adress to connect the port from range 26880-27000. Have a nice day!
 
Old 03-17-2007, 04:59 AM   #10
davhak
LQ Newbie
 
Registered: Nov 2006
Posts: 22

Original Poster
Rep: Reputation: 15
Thank you very much for your advices.

After setting "INPUT ACCEPT[0:0]" I could see with "netstat -nltp" that in addition to allowed ports the following services are LISTENing:

tcp ports 513, 514 for xinetd (login and shell respectively)
tcp ports 680 and 687 for ypserv and ypxfrd respectively.

So I set ypserv and ypxfrd to use static ports by editing the "/etc/sysconfic/network" file. Also explicitely enabled ports 513 and 514 for login and shell in iptables.

However when set "INPUT DROP [0:0]" I cannot SSH again. Though "netstat -nltp" with "INPUT ACCEPT [0:0]" and "INPUT DROP [0:0]" now shows the same things.
 
Old 03-17-2007, 10:48 AM   #11
davhak
LQ Newbie
 
Registered: Nov 2006
Posts: 22

Original Poster
Rep: Reputation: 15
I my case I need to open ports from 30000:60000
for SSH to work. After looking a while over the
net I could not find any explanation. Everywhere
it is stated that for SSH to work one should open
tcp port 22 and that's all, which in my case is
not enough.

I also tried to log the network requests by adding
-A INPUT -p tcp -j LOG --log-prefix Firewall:

into iptables rules:
After this when I try to SSH to 192.168.13.254
machine (or any other) I get the following logs:
Code:
Firewall:IN=eth0 OUT= MAC=00:19:... 
SRC=192.168.13.10 DST=192.168.13.254 LEN=60 
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROT=TCP SPT=22 
DPT=46993 WINDOW=5792 RES=0x00 ACK SYN URGP=0
As one can see the SPT (source port) is correctly
set to 22 but the DPT is set to 46993 and this
number varies in wide range. Also the WINDOW can
vary up to 32768. I think this is the problem that
opening only port 22 does not allow SSH to function.
Does anybody know if this is the cause of the problem ?
and how can this be fixed ? As I do not want to open
a wide range of tcp port just for SSH to work.

Thanks for any help.
 
Old 03-17-2007, 02:31 PM   #12
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
I see the problem... you don't have a rule for allowing packets from an established connection back in... such as:

Code:
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
Old 03-18-2007, 01:50 AM   #13
davhak
LQ Newbie
 
Registered: Nov 2006
Posts: 22

Original Poster
Rep: Reputation: 15
Adding "iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" indeed allowed SSH to pass.

Thank you very much for all your help.
 
Old 03-18-2007, 04:41 AM   #14
rakib
LQ Newbie
 
Registered: Jun 2006
Posts: 1

Rep: Reputation: 0
how will i configure network in debian linux

how will i configure network in debian linux

plz help me to do this
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh: connection to host port: 22: Connection timed out lost connection cucolin@ Linux - Server 4 11-22-2011 07:15 AM
SuseFirewall2 and external SSH access connection timed out usmanaziz Linux - Distributions 1 09-03-2004 04:15 AM
Connection timed out tuttu Linux - Networking 2 08-06-2004 08:05 PM
ssh: Connection timed out. [from school] nixel Linux - Networking 2 05-19-2004 01:21 PM
Connection timed out Valluvan Programming 6 12-22-2002 03:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration