Re: I cannot ssh from wan/lan to my pc behind a home server

To: Aldo Maggi <sentiniate@virgilio.it>
Cc: debian-firewall@lists.debian.org
Subject: Re: I cannot ssh from wan/lan to my pc behind a home server
From: Gerdriaan Mulder <naairdreg@gmail.com>
Date: Wed, 7 Feb 2018 22:27:51 +0100
Message-id: <[🔎] CA+bgFZqs27uy6wE=h0tHBUH8Z5bs-rPGCUF4avzyOJ1VhaEMKA@mail.gmail.com>
In-reply-to: <[🔎] 20180207220258.11a647b8@paperino>
References: <[🔎] 20180207204149.631e230c@paperino> <[🔎] 4113c0c2-44e5-f687-6815-abd0e3b35c3d@gmail.com> <[🔎] 20180207220258.11a647b8@paperino>

Can you check whether you can access your home pc from the
192.168.1.0/24 network? So, connect a device to your router on the LAN
side, acquire an IP lease in the 192.168.1.0/24 network, and connect
to 192.168.1.120 on port 2222.

If that doesn't work, can you insert extra logging rules in ufw?
Packets that would be dropped then appear in /var/log/kern.log, which
helps debugging your problem.

~ Gerdriaan

On 7 February 2018 at 22:02, Aldo Maggi <sentiniate@virgilio.it> wrote:
> Luis,
>
> I'm sure it must a problem of Nat but if you look at the output
> of "iptables -t nat -L -n -v" you can read this line (a bit mixed up!):
>  Chain PREROUTING (policy ACCEPT 1081 packets, 70666 bytes)
>> >   pkts bytes target     prot opt in     out     source
>> > destination 0     0 DNAT       tcp  --  eno1   *
>> > 0.0.0.0/0            192.168.1.120        tcp dpt:2222
>> > to:192.168.3.1:2222
>
> in my very very low knowledge, it should do Nat! But it doesn't :-(
>
> Thanks,
> Aldo :-)
>
>
>
>
>
> Il giorno Wed, 7 Feb 2018 17:47:30 -0300
> Luis <luislopez72@gmail.com> ha scritto:
>
>> Aldo,
>>
>> "Router" and "My PC" are not in the same network. Does your "File
>> Server" do NAT ??
>>
>> Luis.-
>>
>>
>> On 07/02/18 16:41, Aldo Maggi wrote:
>> > I'm having problems with ssh from the Wan while contacting my Pc in
>> > the Lan.
>> >
>> > It worked when I just had to go through the Router provided by the
>> > ISP but problems arose when I've decided to use a small server
>> > which I want to use as file server for our family Pc's, Laptops and
>> > smartphone + for transferring there the webserver where I have my
>> > blog. My home lan (limiting it to my Pc) is as follows:
>> >
>> >
>> >      WAN
>> >       |
>> > ----------
>> > | Router |
>> > ----------
>> >          | 192.168.1.1
>> >          |
>> >     eno1 | 192.168.1.120
>> > ----------------
>> > |              |
>> > | File Server  |
>> > |              |
>> > ----------------
>> >     eno2 | 192.168.3.1
>> >          |
>> >   enp2s0 | 192.168.3.100
>> > ----------------
>> > |              |
>> > |   My Pc      |
>> > |              |
>> > ----------------
>> >
>> >  From the File Server I can ssh my pc on port 2222
>> >  From the lan (which is in 192.168.1.0) it is not possible to ssh
>> > my pc which is in the 192.168.3.0 net
>> >
>> >
>> > File Server:
>> > (in "ufw status" output I have left only what I have thought to be
>> > of interest)
>> > root@Casa-mia-1:~# ufw status
>> > Status: active
>> >
>> > To                         Action      From
>> > --                         ------      ----
>> > 22/tcp                     ALLOW       Anywhere
>> > OpenSSH                    ALLOW       Anywhere
>> > SSH                        ALLOW       Anywhere
>> > Anywhere                   ALLOW       192.168.3.100
>> > Anywhere                   ALLOW       192.168.3.0/24
>> > 2222/tcp                   ALLOW       Anywhere
>> > 22/tcp (v6)                ALLOW       Anywhere (v6)
>> > OpenSSH (v6)               ALLOW       Anywhere (v6)
>> > SSH (v6)                   ALLOW       Anywhere (v6)
>> > 2222/tcp (v6)              ALLOW       Anywhere (v6)
>> >
>> >
>> > root@Casa-mia-1:~# iptables -t nat -L -n -v
>> > Chain PREROUTING (policy ACCEPT 1081 packets, 70666 bytes)
>> >   pkts bytes target     prot opt in     out     source
>> > destination 0     0 DNAT       tcp  --  eno1   *
>> > 0.0.0.0/0            192.168.1.120        tcp dpt:2222
>> > to:192.168.3.1:2222
>> >
>> > Chain INPUT (policy ACCEPT 21 packets, 2919 bytes)
>> >   pkts bytes target     prot opt in     out     source
>> > destination
>> >
>> > Chain OUTPUT (policy ACCEPT 125 packets, 8738 bytes)
>> >   pkts bytes target     prot opt in     out     source
>> > destination
>> >
>> > Chain POSTROUTING (policy ACCEPT 125 packets, 8738 bytes)
>> >   pkts bytes target     prot opt in     out     source
>> > destination 885 56073 MASQUERADE  all  --  *      eno1
>> > 192.168.3.0/24       0.0.0.0/0
>> >
>> > root@Casa-mia-1:~# cat /etc/ufw/sysctl.conf |grep -i ip_forward
>> > net/ipv4/ip_forward=1
>> >
>> > My Pc:
>> >
>> > root@aldomaggi:~# iptables -t nat -L -n
>> > -v Chain PREROUTING (policy ACCEPT 0 packets, 0
>> > bytes) pkts bytes target     prot opt in     out
>> > source
>> > destination
>> > Chain INPUT (policy ACCEPT 0 packets, 0
>> > bytes) pkts bytes target     prot opt in     out
>> > source
>> > destination
>> > Chain OUTPUT (policy ACCEPT 0 packets, 0
>> > bytes) pkts bytes target     prot opt in     out
>> > source
>> > destination
>> > Chain POSTROUTING (policy ACCEPT 0 packets, 0
>> > bytes) pkts bytes target     prot opt in     out
>> > source destination
>> >
>> > root@aldomaggi:~# cat /etc/ssh/sshd_config |grep -i port
>> > #Porta non standard 2222
>> > Port 2222
>> >
>> > I thank you in advance for any help you can give me!
>> >
>> > Aldo :-)
>> >
>> >
>> >
>> >
>>
>

Reply to:

References:
- I cannot ssh from wan/lan to my pc behind a home server
  - From: Aldo Maggi <sentiniate@virgilio.it>
- Re: I cannot ssh from wan/lan to my pc behind a home server
  - From: Luis <luislopez72@gmail.com>
- Re: I cannot ssh from wan/lan to my pc behind a home server
  - From: Aldo Maggi <sentiniate@virgilio.it>

Prev by Date: Re: I cannot ssh from wan/lan to my pc behind a home server
Next by Date: Re: I cannot ssh from wan/lan to my pc behind a home server
Previous by thread: Re: I cannot ssh from wan/lan to my pc behind a home server
Next by thread: Re: I cannot ssh from wan/lan to my pc behind a home server
Index(es):
- Date
- Thread