I'm having problems with ssh from the Wan while contacting my Pc in the
Lan.
It worked when I just had to go through the Router provided by the ISP
but problems arose when I've decided to use a small server which I want
to use as file server for our family Pc's, Laptops and smartphone + for transferring there the webserver where I have my blog. My home lan
(limiting it to my Pc) is as follows:
WAN
|
----------
| Router |
----------
| 192.168.1.1
|
eno1 | 192.168.1.120
----------------
| |
| File Server |
| |
----------------
eno2 | 192.168.3.1
|
enp2s0 | 192.168.3.100
----------------
| |
| My Pc |
| |
----------------
From the File Server I can ssh my pc on port 2222
From the lan (which is in 192.168.1.0) it is not possible to ssh my pc
which is in the 192.168.3.0 net
File Server:
(in "ufw status" output I have left only what I have thought to be of interest)
root@Casa-mia-1:~# ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
OpenSSH ALLOW Anywhere
SSH ALLOW Anywhere
Anywhere ALLOW 192.168.3.100
Anywhere ALLOW 192.168.3.0/24
2222/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
SSH (v6) ALLOW Anywhere (v6)
2222/tcp (v6) ALLOW Anywhere (v6)
root@Casa-mia-1:~# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 1081 packets, 70666 bytes)
pkts bytes target prot opt in out source
destination 0 0 DNAT tcp -- eno1 *
0.0.0.0/0 192.168.1.120 tcp dpt:2222
to:192.168.3.1:2222
Chain INPUT (policy ACCEPT 21 packets, 2919 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 125 packets, 8738 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 125 packets, 8738 bytes)
pkts bytes target prot opt in out source
destination 885 56073 MASQUERADE all -- * eno1
192.168.3.0/24 0.0.0.0/0
root@Casa-mia-1:~# cat /etc/ufw/sysctl.conf |grep -i ip_forward net/ipv4/ip_forward=1
My Pc:
root@aldomaggi:~# iptables -t nat -L -n
-v Chain PREROUTING (policy ACCEPT 0 packets, 0
bytes) pkts bytes target prot opt in out
source
destination
Chain INPUT (policy ACCEPT 0 packets, 0
bytes) pkts bytes target prot opt in out
source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0
bytes) pkts bytes target prot opt in out
source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0
bytes) pkts bytes target prot opt in out
source destination
root@aldomaggi:~# cat /etc/ssh/sshd_config |grep -i port
#Porta non standard 2222
Port 2222
I thank you in advance for any help you can give me!
Aldo :-)
pkts bytes target prot opt in out source
destination 0 0 DNAT tcp -- eno1 *
0.0.0.0/0 192.168.1.120 tcp dpt:2222
to:192.168.3.1:2222
Aldo,
"Router" and "My PC" are not in the same network. Does your "File
Server" do NAT ??
Luis.-
On 07/02/18 16:41, Aldo Maggi wrote:
I'm having problems with ssh from the Wan while contacting my Pc in
the Lan.
It worked when I just had to go through the Router provided by the
ISP but problems arose when I've decided to use a small server
which I want to use as file server for our family Pc's, Laptops and smartphone + for transferring there the webserver where I have my
blog. My home lan (limiting it to my Pc) is as follows:
WAN
|
----------
| Router |
----------
| 192.168.1.1
|
eno1 | 192.168.1.120
----------------
| |
| File Server |
| |
----------------
eno2 | 192.168.3.1
|
enp2s0 | 192.168.3.100
----------------
| |
| My Pc |
| |
----------------
From the File Server I can ssh my pc on port 2222
From the lan (which is in 192.168.1.0) it is not possible to ssh
my pc which is in the 192.168.3.0 net
File Server:
(in "ufw status" output I have left only what I have thought to be
of interest)
root@Casa-mia-1:~# ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
OpenSSH ALLOW Anywhere
SSH ALLOW Anywhere
Anywhere ALLOW 192.168.3.100
Anywhere ALLOW 192.168.3.0/24
2222/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
SSH (v6) ALLOW Anywhere (v6)
2222/tcp (v6) ALLOW Anywhere (v6)
root@Casa-mia-1:~# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 1081 packets, 70666 bytes)
pkts bytes target prot opt in out source
destination 0 0 DNAT tcp -- eno1 *
0.0.0.0/0 192.168.1.120 tcp dpt:2222
to:192.168.3.1:2222
Chain INPUT (policy ACCEPT 21 packets, 2919 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 125 packets, 8738 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 125 packets, 8738 bytes)
pkts bytes target prot opt in out source
destination 885 56073 MASQUERADE all -- * eno1
192.168.3.0/24 0.0.0.0/0
root@Casa-mia-1:~# cat /etc/ufw/sysctl.conf |grep -i ip_forward net/ipv4/ip_forward=1
My Pc:
root@aldomaggi:~# iptables -t nat -L -n
-v Chain PREROUTING (policy ACCEPT 0 packets, 0
bytes) pkts bytes target prot opt in out
source
destination
Chain INPUT (policy ACCEPT 0 packets, 0
bytes) pkts bytes target prot opt in out
source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0
bytes) pkts bytes target prot opt in out
source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0
bytes) pkts bytes target prot opt in out
source destination
root@aldomaggi:~# cat /etc/ssh/sshd_config |grep -i port
#Porta non standard 2222
Port 2222
I thank you in advance for any help you can give me!
Aldo :-)
Luis,
I'm sure it must a problem of Nat but if you look at the output
of "iptables -t nat -L -n -v" you can read this line (a bit mixed up!):
Chain PREROUTING (policy ACCEPT 1081 packets, 70666 bytes)
pkts bytes target prot opt in out source
destination 0 0 DNAT tcp -- eno1 *
0.0.0.0/0 192.168.1.120 tcp dpt:2222
to:192.168.3.1:2222
in my very very low knowledge, it should do Nat! But it doesn't :-(
Thanks,
Aldo :-)
Il giorno Wed, 7 Feb 2018 17:47:30 -0300
Luis <luislopez72@gmail.com> ha scritto:
Aldo,
"Router" and "My PC" are not in the same network. Does your "File
Server" do NAT ??
Luis.-
On 07/02/18 16:41, Aldo Maggi wrote:
I'm having problems with ssh from the Wan while contacting my Pc in
the Lan.
It worked when I just had to go through the Router provided by the
ISP but problems arose when I've decided to use a small server
which I want to use as file server for our family Pc's, Laptops and
smartphone + for transferring there the webserver where I have my
blog. My home lan (limiting it to my Pc) is as follows:
WAN
|
----------
| Router |
----------
| 192.168.1.1
|
eno1 | 192.168.1.120
----------------
| |
| File Server |
| |
----------------
eno2 | 192.168.3.1
|
enp2s0 | 192.168.3.100
----------------
| |
| My Pc |
| |
----------------
From the File Server I can ssh my pc on port 2222
From the lan (which is in 192.168.1.0) it is not possible to ssh
my pc which is in the 192.168.3.0 net
File Server:
(in "ufw status" output I have left only what I have thought to be
of interest)
root@Casa-mia-1:~# ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
OpenSSH ALLOW Anywhere
SSH ALLOW Anywhere
Anywhere ALLOW 192.168.3.100
Anywhere ALLOW 192.168.3.0/24
2222/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
SSH (v6) ALLOW Anywhere (v6)
2222/tcp (v6) ALLOW Anywhere (v6)
root@Casa-mia-1:~# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 1081 packets, 70666 bytes)
pkts bytes target prot opt in out source
destination 0 0 DNAT tcp -- eno1 *
0.0.0.0/0 192.168.1.120 tcp dpt:2222
to:192.168.3.1:2222
Chain INPUT (policy ACCEPT 21 packets, 2919 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 125 packets, 8738 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 125 packets, 8738 bytes)
pkts bytes target prot opt in out source
destination 885 56073 MASQUERADE all -- * eno1
192.168.3.0/24 0.0.0.0/0
root@Casa-mia-1:~# cat /etc/ufw/sysctl.conf |grep -i ip_forward
net/ipv4/ip_forward=1
My Pc:
root@aldomaggi:~# iptables -t nat -L -n
-v Chain PREROUTING (policy ACCEPT 0 packets, 0
bytes) pkts bytes target prot opt in out
source
destination
Chain INPUT (policy ACCEPT 0 packets, 0
bytes) pkts bytes target prot opt in out
source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0
bytes) pkts bytes target prot opt in out
source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0
bytes) pkts bytes target prot opt in out
source destination
root@aldomaggi:~# cat /etc/ssh/sshd_config |grep -i port
#Porta non standard 2222
Port 2222
I thank you in advance for any help you can give me!
Aldo :-)
I switched the level of logging of ufw to "full" and in "kern.log" I
have found the following:
root@Casa-mia-1:~# cat /var/log/kern.log |grep -i DPT=2222
Feb 7 23:00:12 Casa-mia-1 kernel: [14311.741791] [UFW AUDIT] IN=eno1
OUT= MAC=<> SRC=192.168.1.1
DST=192.168.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27675 DF PROTO=TCP SPT=45892 DPT=2222 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 7 23:08:48 Casa-mia-1 kernel: [14827.858458] [UFW AUDIT] IN=eno1 OUT= MAC=<> SRC=192.168.1.1
DST=192.168.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45177 DF PROTO=TCP SPT=42165 DPT=2222 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 7 23:09:50 Casa-mia-1 kernel: [14890.104629] [UFW AUDIT] IN=eno1 OUT= MAC=<> SRC=192.168.1.1
DST=192.168.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53838 DF PROTO=TCP SPT=58074 DPT=2222 WINDOW=65535 RES=0x00 SYN URGP=0
these were three attempt to connect to 192.168.1.120 via ssh on port
2222 from my smartphone with Ip 192.168.1.4 in fact its Mac
(<>) is included inside "MAC="
Thanks for your help!
Aldo :-)
Il giorno Wed, 7 Feb 2018 22:27:51 +0100
Gerdriaan Mulder <naairdreg@gmail.com> ha scritto:
Can you check whether you can access your home pc from the
192.168.1.0/24 network? So, connect a device to your router on the LAN
side, acquire an IP lease in the 192.168.1.0/24 network, and connect
to 192.168.1.120 on port 2222.
If that doesn't work, can you insert extra logging rules in ufw?
Packets that would be dropped then appear in /var/log/kern.log, which
helps debugging your problem.
~ Gerdriaan
Hi Aldo,
Please also reply to the list, so the other members can read along.
I've redacted your MAC addresses in the quote below, because I think
they are not needed.
On 7 February 2018 at 23:22, Aldo Maggi <sentiniate@virgilio.it>
wrote:
I switched the level of logging of ufw to "full" and in "kern.log" I
have found the following:
root@Casa-mia-1:~# cat /var/log/kern.log |grep -i DPT=2222
Feb 7 23:00:12 Casa-mia-1 kernel: [14311.741791] [UFW AUDIT]
IN=eno1 OUT= MAC=<> SRC=192.168.1.1
DST=192.168.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27675 DF
PROTO=TCP SPT=45892 DPT=2222 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 7 23:08:48 Casa-mia-1 kernel: [14827.858458] [UFW AUDIT]
IN=eno1 OUT= MAC=<> SRC=192.168.1.1
DST=192.168.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45177 DF
PROTO=TCP SPT=42165 DPT=2222 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 7 23:09:50 Casa-mia-1 kernel: [14890.104629] [UFW AUDIT]
IN=eno1 OUT= MAC=<> SRC=192.168.1.1
DST=192.168.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53838 DF
PROTO=TCP SPT=58074 DPT=2222 WINDOW=65535 RES=0x00 SYN URGP=0
So a connection with destination port 2222 has a destination IP
address of 192.168.3.1 in these logs. Your PC has 192.168.3.100, so I
think you need to edit the NAT rule that forwards 2222 to point to 192.168.3.100 instead of 192.168.3.1.
~ Gerdriaan
these were three attempt to connect to 192.168.1.120 via ssh on port
2222 from my smartphone with Ip 192.168.1.4 in fact its Mac
(<>) is included inside "MAC="
Thanks for your help!
Aldo :-)
Il giorno Wed, 7 Feb 2018 22:27:51 +0100
Gerdriaan Mulder <naairdreg@gmail.com> ha scritto:
Can you check whether you can access your home pc from the
192.168.1.0/24 network? So, connect a device to your router on the
LAN side, acquire an IP lease in the 192.168.1.0/24 network, and
connect to 192.168.1.120 on port 2222.
If that doesn't work, can you insert extra logging rules in ufw?
Packets that would be dropped then appear in /var/log/kern.log,
which helps debugging your problem.
~ Gerdriaan
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 296 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 43:29:53 |
| Calls: | 6,648 |
| Files: | 12,193 |
| Messages: | 5,329,636 |