LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-08-2017, 12:38 PM   #1
pixie
Member
 
Registered: Aug 2003
Distribution: Mageia, Centos, CloudLinux
Posts: 53

Rep: Reputation: 27
ssh to IPV6 on different port


If I run
ssh me@IPV6 remote address it works OK. But if I change the default ssh port on remote server from 22, restart sshd then:
Code:
ssh -p2345 me@Ipv6 address
the connection hangs and never connects. Have tried editing /etc/sysconfig/ip6tables and changing:
Quote:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
TO:
Quote:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2345 -j ACCEPT
Then service ip6tables restart But it still doesn't work. Am I missing something?
 
Old 02-08-2017, 02:51 PM   #2
TheEzekielProject
Member
 
Registered: Dec 2016
Distribution: Devuan+lxde
Posts: 658

Rep: Reputation: 190Reputation: 190
If you changed to port 22 then remove -p argument from ssh (as 22 is default) or change to -p 22. That specifies the port
 
Old 02-08-2017, 03:37 PM   #3
pixie
Member
 
Registered: Aug 2003
Distribution: Mageia, Centos, CloudLinux
Posts: 53

Original Poster
Rep: Reputation: 27
Not sure what your getting at. I know port 22 works. Its when its changed to another port it fails to connect.
 
Old 02-08-2017, 04:09 PM   #4
michaelk
Moderator
 
Registered: Aug 2002
Posts: 21,234

Rep: Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974
I assume that this is a CentOS box and your problem is probably due to selinux if it is enabled. If so you need to add the port via the semanage command. See the following link for more details.

http://www.serverschool.com/server-c...elinux-rhel-6/
 
Old 02-08-2017, 04:40 PM   #5
pixie
Member
 
Registered: Aug 2003
Distribution: Mageia, Centos, CloudLinux
Posts: 53

Original Poster
Rep: Reputation: 27
Centos 6.8
selinux is set to disabled and semanage is not installed. Changing the ssh port works OK for IPv4, its only IPv6 that only wants to works on 22
 
Old 02-08-2017, 05:12 PM   #6
michaelk
Moderator
 
Registered: Aug 2002
Posts: 21,234

Rep: Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974
I assume the output of ip6tables -L shows something like
Code:
ACCEPT     tcp      anywhere             anywhere            state NEW tcp dpt:2345
Have you tried turning off ip6tables which basically flushes the rules to see what happens?
 
Old 02-08-2017, 06:13 PM   #7
pixie
Member
 
Registered: Aug 2003
Distribution: Mageia, Centos, CloudLinux
Posts: 53

Original Poster
Rep: Reputation: 27
Yes I tried stopping ip6tables but it made no difference.
ip6tables -nL --line-numbers
Code:
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all      ::/0                 ::/0                state RELATED,ESTABLISHED 
2    ACCEPT     icmpv6    ::/0                 ::/0                
3    ACCEPT     all      ::/0                 ::/0                
4    ACCEPT     tcp      ::/0                 ::/0                state NEW tcp dpt:2345
5    REJECT     all      ::/0                 ::/0                reject-with icmp6-adm-prohibited 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     all      ::/0                 ::/0                reject-with icmp6-adm-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
But if I change port to 22 it works

Last edited by pixie; 02-08-2017 at 06:22 PM.
 
Old 02-08-2017, 06:23 PM   #8
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
In CentOS/RHEL IPv4 port forwarding is disabled by default in the kernel... I suspect the same will be true of IPv6. Maybe worth trying the following command to test:

sudo sysctl -w net.ipv6.conf.all.forwarding=1

Unfortunately my test KVM environment is down due to hardware issues, so can't test if that is exactly the right setting to test/check tho.

Last edited by r3sistance; 02-08-2017 at 06:26 PM.
 
Old 02-08-2017, 06:46 PM   #9
pixie
Member
 
Registered: Aug 2003
Distribution: Mageia, Centos, CloudLinux
Posts: 53

Original Poster
Rep: Reputation: 27
Changing the port using IPv4 works OK. I tried
sysctl -w net.ipv6.conf.all.forwarding=1
and also
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
but to no avail.
Thanks for your response though. Appreciated.
 
Old 02-08-2017, 06:52 PM   #10
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
Wait... I am being dumb, misread what is going on.

What is the output of "netstat -pan | grep sshd", forget if CentOS 6 has ss but that'd work in place of netstat too. If it returns nothing then try grep 2345 instead and see if anything comes back as listening on the port.

Last edited by r3sistance; 02-08-2017 at 06:53 PM.
 
Old 02-08-2017, 07:04 PM   #11
pixie
Member
 
Registered: Aug 2003
Distribution: Mageia, Centos, CloudLinux
Posts: 53

Original Poster
Rep: Reputation: 27
Code:
netstat -pan | grep sshd
tcp        0      0 0.0.0.0:2345               0.0.0.0:*                   LISTEN      3360/sshd           
tcp        0     64 xx.xx.xx.xx:2345          YY.YY.YY.YY:33540           ESTABLISHED 1415/sshd           
tcp        0      0 :::2345                    :::*                        LISTEN      3360/sshd           
unix  2      [ ]         DGRAM                    5812   1415/sshd           P1831
where xx.xx.xx.xx is servers IPv4 and YY.YY.YY.YY my existing connection from desktop

Last edited by pixie; 02-08-2017 at 07:08 PM.
 
Old 02-08-2017, 07:37 PM   #12
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
Fair enough, well it appears to be listening on both ipv4 and ipv6.

Interestingly looking at your config, iptables should never drop the connection...

maybe the ssh client hasn't detected it is using ipv6, I think it can be forced to use ipv6 with the -6 flag.

Last edited by r3sistance; 02-08-2017 at 07:40 PM. Reason: just specifying the client
 
Old 02-08-2017, 08:13 PM   #13
pixie
Member
 
Registered: Aug 2003
Distribution: Mageia, Centos, CloudLinux
Posts: 53

Original Poster
Rep: Reputation: 27
Using ssh -6 -p 2345 doesn't work either. What is interesting is that I can only connect to IPv6 if both sshd_config and ip6tables are both set to port 22. If I just set ip6tables to port 22 and sshd_config to say 2345 and then try an IPv6 connection it says 'port 22 Connection refused' So both files are being read together. Was hoping /var/log/secure might tell me something but it only says its listening.

Last edited by pixie; 02-08-2017 at 08:16 PM.
 
Old 02-08-2017, 08:32 PM   #14
michaelk
Moderator
 
Registered: Aug 2002
Posts: 21,234

Rep: Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974Reputation: 3974
Can you ssh from the remote computer itself?

ssh -6 -p 2345 localhost
 
Old 02-09-2017, 01:23 AM   #15
pixie
Member
 
Registered: Aug 2003
Distribution: Mageia, Centos, CloudLinux
Posts: 53

Original Poster
Rep: Reputation: 27
ssh -6 -p 2345 localhost
Could not resolve hostname localhost

Though without the -p switch it does work
ssh -p 2345 localhost
root@localhost's password:
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] IPtables : ssh port forwarding one port to another port issue routers Linux - Networking 7 08-07-2018 08:41 AM
How to change SSH port 22 to new one and make Linux system know the new SSH port? sscn Linux - Newbie 16 10-12-2016 11:22 AM
IPv6 & Port Forwarding Geremia Linux - Server 3 04-18-2011 02:51 AM
Howto do Secured ssh from port https or port80(standard) to ssh d listening port 22 ? Xeratul Linux - General 4 11-23-2006 06:09 AM
iptables help! DROP ssh port, but allow to connect to ssh if from 2222 port kandzha Linux - Networking 4 09-13-2006 09:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration