[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH port 22 is invisible from the internet!! :(

> On Mon, Apr 09, 2007 at 03:53:24PM +0200, Jochen Schulz wrote:
>>> I use iptables as a firewall and have added a rule to open the port 22:
>> That probably means you are blocking any traffic not explicitly allowed,
>> correct? Maybe it would help to show us your complete iptables script.
> I attach the iptables script to this mail.

Still looks fine (as far as I am able to parse iptable-save's output).

>> And you are connected directly to the internet, right? No NAT?
> It's a long story. :(
> My ISP use PPTP VPN to share the internet amongs clients.
> So everybody are happy because they use Windows, but I must to setup my 
> Etch to:
> 1. use dhcp on eth0
> 2. setup pptplinux to bring up ppp0 interface so to can to connect to 
> the internet.
> 3. I asked and get from my ISP a public IP address that I used to to
> others can from internet reach my apache2 www server and I to can to use 
> exim4 for the mailing, because the mail system of my ISP have bad 
> setup.

Hm, weird setup. So you get a non-public IP address on eth0 via DHCP and
a "static" public address for ppp0?

>> To debug it a little bit more, you could use tcpdump to see whether you
>> can see packets coming on port 22/tcp at all (tcpdump -i $dev "port
>> 22"). If you do, you have a problem with outgoing packages which would
>> explain the timeouts.
> I do:
> $ sudo tcpdump -vv -i ppp0 "port 22"
> tcpdump: listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
> so if you could, please try to connect with ssh to my system!

Done (twice). Got a timeout again.

If you can see either both incoming and outgoing packets or no packets
at all, your setup is fine and someone else is dropping them. If you see
only incoming packets, it's your fault.

In any case, I would now try to let sshd listen on another port that is
probably not filtered (like 443).

> You could to use "sshuser" username and "1234qwer" password to this. :)

You should definitely remove that test user *now*. To debug connection
problems on that network layer, there's no need for anyone to be able to
login. Trying to login (even if just to fail to do that) is enough.

If I had to live on a desert island I would take a mobile phone,
preferably a Nokia 8810.
[Agree]   [Disagree]

Attachment: signature.asc
Description: Digital signature

Reply to: