Re: Unable to ssh to Debian 9 from 9 or 11

To: Roger Price <debian@rogerprice.org>
Cc: debian-user Mailing List <debian-user@lists.debian.org>
Subject: Re: Unable to ssh to Debian 9 from 9 or 11
From: <tomas@tuxteam.de>
Date: Sun, 16 Jul 2023 09:51:20 +0200
Message-id: <[🔎] ZLOheACQeboLlmIG@tuxteam.de>
In-reply-to: <[🔎] 1468bcd9-4413-ad4e-9cda-9e88d928c64d@rogerprice.org>
References: <[🔎] ZLK3VzSXb9jjCYp1@wooledge.org> <[🔎] 1468bcd9-4413-ad4e-9cda-9e88d928c64d@rogerprice.org>

On Sun, Jul 16, 2023 at 09:39:35AM +0200, Roger Price wrote:
> On Sat, 15 Jul 2023, Greg Wooledge wrote:
> > On Sat, Jul 15, 2023 at 11:59:33AM +0200, Roger Price wrote:
> > > rprice@kananga:~$ ssh -v rprice@maria
> > > ssh: connect to host maria port 22: Connection timed out
> > 
> > A timeout is an ENTIRELY different symptom, and when combined with
> > "but I can ping the remote", it means a firewall is involved.  Every
> > time.
> 
> I tried to clear out the existing firewall on a Debian 9 machine with the
> commands
> 
>  iptables -F
>  iptables -X
>  iptables -P INPUT ACCEPT
>  iptables -P FORWARD ACCEPT
>  iptables -P OUTPUT ACCEPT
> 
>  iptables -L -n --line-numbers reports
> 
>  Chain INPUT (policy ACCEPT)
>  num  target                    prot opt source     destination
>  1    ufw-before-logging-input  all  --  0.0.0.0/0  0.0.0.0/0
>  2    ufw-before-input          all  --  0.0.0.0/0  0.0.0.0/0
>  3    ufw-after-input           all  --  0.0.0.0/0  0.0.0.0/0
>  4    ufw-after-logging-input   all  --  0.0.0.0/0  0.0.0.0/0
>  5    ufw-reject-input          all  --  0.0.0.0/0  0.0.0.0/0
>  6    ufw-track-input           all  --  0.0.0.0/0  0.0.0.0/0
> 
>    ... and so on

This would be a good time to try ssh :-)

> I then recycled the Debian 9 machine, power off, power on, for a clean restart,
> After the restart, I tried to ssh from Debian 11 to that Debian 9 machine

That's too late: the iptables command just modifies the kernel's
settings. They are not persistent across a reboot. This is the
job of whatever firewall management thingy sets the firewall at
boot (it may be as simple as a self-made script calling iptables
or as complex as some firewalld or ufw, or some systemd thingmajig).

>  rprice@titan ~ ssh -v rprice@kananga
>  ssh: connect to host kananga port 22: Connection timed out
> 
> So it's something else?  Roger

No, this is to be expected: whatever did set up your firewall
on first boot will do that again at every reboot.

But before chasing that culprit it'd be nice to know we are
barking up the right tree: can you ssh after flushing the
firewalls and /before/ rebooting?

Cheers
-- 
tomás

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Unable to ssh to Debian 9 from 9 or 11
  - From: Roger Price <debian@rogerprice.org>

References:
- Re: Unable to ssh to Debian 9 from 9 or 11
  - From: Greg Wooledge <greg@wooledge.org>
- Re: Unable to ssh to Debian 9 from 9 or 11
  - From: Roger Price <debian@rogerprice.org>

Prev by Date: Re: Unable to ssh to Debian 9 from 9 or 11
Next by Date: Re: Unable to ssh to Debian 9 from 9 or 11
Previous by thread: Re: Unable to ssh to Debian 9 from 9 or 11
Next by thread: Re: Unable to ssh to Debian 9 from 9 or 11
Index(es):
- Date
- Thread