Results 1 to 9 of 9
  1. #1

    Question Two linux PC's can't SSH to each other

    OK this one is going to be a challenge.

    I have a very simple setup: A linksys router, with three PC's connected to it. One is a windows PC, one is a linux (mandrake) pc, and one is a linux (fed core 2) pc.

    Everything works fine. Almost. My windows machine can ssh in to either of the linux PC's, and all three PC's have no problem sshing out to a remote computer on the net. Also, all three machines can ping each other.

    So here's the wacky part:

    The linux PCs can't SSH to each other. When either one tries to SSH to the other, it just times out and doesn't connect.

    Remember, the windows machine can ssh to either one just fine, and both linux pc's can ping each other. That kind of answers most questions you might ask.

    Firewall issue? No, because the windows PC can connect to either one. But I checked and the ssh ports are open.

    Do I have the wrong ip? No, because I use the same ips when connecting from windows. Plus they can ping each other at those ip's.

    SSH version? I tried connecting with ssh -1 and ssh -2, and both timeout.

    /etc/hosts.allow? No, I've never touched etc/hosts* files on either linux machine.


  2. #2
    Join Date
    Dec 2003
    Location
    Brisbane, Queensland, Australia
    Posts
    547
    I was just wondering did you test on the windows box trying to use two ssh sessions one for each box at the same time?

  3. #3
    Join Date
    Dec 2003
    Location
    Brisbane, Queensland, Australia
    Posts
    547
    Also have you tried to change the ssh server ports for both the linux boxes. One with the default port of 22 and the other one on a different port.

  4. #4
    Originally posted by DiBellaweb
    I was just wondering did you test on the windows box trying to use two ssh sessions one for each box at the same time?
    Good question, and answer is yes. That I can do fine.

    Second question- no, but I shouldn't have to. (Remembr, the win2k box can ssh into either linux PC just fine. So, the firewall ports must be open. Also I can ssh into either linux PC from the outside- if I set the router to do port forwarding on port 22 etc etc. Port 22 is open on both linux PC's.)

  5. #5
    Join Date
    Mar 2004
    Posts
    295
    Have one of the linux machines, scan the other. See if it finds an open ssh 22 port. If it see's the port as open. Then no idea here, since you havent done anything with iptables.

  6. #6
    Sn1p3, you've gotten me halfway there.

    You were right, one of the PC's, the core 2 machine, doesn't see port 22 as open on the other.

    So I opened the mandrake box wider and made sure it's port 22 is really really really open. And now I can ssh to it from the core 2 box.

    But,

    I still can't do the reverse- ssh into the core 2 box from the mandrake box. And, in that case, the mandrake box DOES see port 22 open on the core 2 box. So there is some other, different problem going on there. I'm doubly cursed.

    Any ideas there?

    thanks again,
    rw

  7. #7
    Join Date
    Mar 2004
    Posts
    295
    Thats all I could think of, no idea about the other one. GoodLuck tho, if you fix it lemme know what it was

  8. #8
    Looks like a fw issue, maybe you can post the output of iptables -L for both of your boxes (change the IPs if necessary).
    ::. www.diginode.net : Dedicated Servers : Virtual Machine Servers .::
    ::. Industry-Leading Remote Server Management .::
    ::. Automatic OS Re-image : Instant Server Reboot : Remote Serial Console .::
    ::. Over 20 OSes to choose from : Install a new OS every day .::

  9. #9
    I've done some fiddlng with it and I've found that in firestarter (which is on the mandrake pc), if I set it so that the fedora PC is in "trusted", then the mandrake pc can ssh to the fedora pc. Otherwise it can't. But that shouldn't be necessary. Port 22 is open on both of them to everyone (confirmed with port scan).

    Let me explain that again:

    The mandrake pc is trying to connect, as a client, over ssh, to the fedora core 2 pc.

    Both machines have port 22 open to all.

    The mandrake pc can't connect unless I tell it to "trust" the fedora PC (open all of it's ports to it). This shouldn't be necessary since port 22 is open to all on both.

    And now, here is my iptables -L on the mandrake PC. I changed the name of my isp, but thats all:


    Chain INPUT (policy DROP)
    target prot opt source destination
    UNCLEAN all -- anywhere anywhere unclean
    ACCEPT tcp -- localhost.localdomain anywhere tcp flags:!SYN,RST,ACK/SYN
    ACCEPT udp -- localhost.localdomain anywhere
    ACCEPT tcp -- myisp.com anywhere tcp flags:!SYN,RST,ACK/SYN
    ACCEPT udp -- myisp.com anywhere
    ACCEPT all -- 192.168.1.100 anywhere
    ACCEPT tcp -- anywhere 192.168.1.0/24 tcp dpt:webcache
    ACCEPT udp -- anywhere 192.168.1.0/24 udp dpt:webcache
    ACCEPT tcp -- anywhere 192.168.1.0/24 tcp dpts:5900:5901
    ACCEPT udp -- anywhere 192.168.1.0/24 udp dpts:5900:5901
    ACCEPT tcp -- anywhere 192.168.1.0/24 tcp dpts:5800:5801
    ACCEPT udp -- anywhere 192.168.1.0/24 udp dpts:5800:5801
    ACCEPT tcp -- anywhere 192.168.1.0/24 tcp dptmtp
    ACCEPT udp -- anywhere 192.168.1.0/24 udp dptmtp
    ACCEPT tcp -- anywhere 192.168.1.0/24 tcp dpt:8086
    ACCEPT udp -- anywhere 192.168.1.0/24 udp dpt:8086
    ACCEPT tcp -- anywhere 192.168.1.0/24 tcp dpt:domain
    ACCEPT udp -- anywhere 192.168.1.0/24 udp dpt:domain
    ACCEPT tcp -- anywhere 192.168.1.0/24 tcp dpt:https
    ACCEPT udp -- anywhere 192.168.1.0/24 udp dpt:https
    ACCEPT tcp -- anywhere 192.168.1.0/24 tcp dpt:rndc
    ACCEPT udp -- anywhere 192.168.1.0/24 udp dpt:rndc
    ACCEPT tcp -- anywhere 192.168.1.0/24 tcp dptsh
    ACCEPT udp -- anywhere 192.168.1.0/24 udp dptsh
    ACCEPT all -- anywhere anywhere
    ACCEPT icmp -- anywhere 192.168.1.0/24 limit: avg 10/sec burst 5
    LD all -- 0.0.0.0/8 192.168.1.0/24
    LD all -- 1.0.0.0/8 192.168.1.0/24
    LD all -- 2.0.0.0/8 192.168.1.0/24
    LD all -- 5.0.0.0/8 192.168.1.0/24
    LD all -- 7.0.0.0/8 192.168.1.0/24
    LD all -- 10.0.0.0/8 192.168.1.0/24
    LD all -- 23.0.0.0/8 192.168.1.0/24
    LD all -- 27.0.0.0/8 192.168.1.0/24
    LD all -- 31.0.0.0/8 192.168.1.0/24
    LD all -- 36.0.0.0/8 192.168.1.0/24
    LD all -- 37.0.0.0/8 192.168.1.0/24
    LD all -- 39.0.0.0/8 192.168.1.0/24
    LD all -- 41.0.0.0/8 192.168.1.0/24
    LD all -- 42.0.0.0/8 192.168.1.0/24
    LD all -- 49.0.0.0/8 192.168.1.0/24
    LD all -- 50.0.0.0/8 192.168.1.0/24
    LD all -- 58.0.0.0/8 192.168.1.0/24
    LD all -- 59.0.0.0/8 192.168.1.0/24
    LD all -- 032-238-079.area1.spcsdns.net/8 192.168.1.0/24
    LD all -- 71.0.0.0/8 192.168.1.0/24
    LD all -- 72.0.0.0/8 192.168.1.0/24
    LD all -- 73.0.0.0/8 192.168.1.0/24
    LD all -- 74.0.0.0/8 192.168.1.0/24
    LD all -- 75.0.0.0/8 192.168.1.0/24
    LD all -- 76.0.0.0/8 192.168.1.0/24
    LD all -- 77.0.0.0/8 192.168.1.0/24
    LD all -- 78.0.0.0/8 192.168.1.0/24
    LD all -- 79.0.0.0/8 192.168.1.0/24
    LD all -- 83.0.0.0/8 192.168.1.0/24
    LD all -- 84.0.0.0/8 192.168.1.0/24
    LD all -- 85.0.0.0/8 192.168.1.0/24
    LD all -- 86.0.0.0/8 192.168.1.0/24
    LD all -- 87.0.0.0/8 192.168.1.0/24
    LD all -- 88.0.0.0/8 192.168.1.0/24
    LD all -- 89.0.0.0/8 192.168.1.0/24
    LD all -- 90.0.0.0/8 192.168.1.0/24
    LD all -- 91.0.0.0/8 192.168.1.0/24
    LD all -- 92.0.0.0/8 192.168.1.0/24
    LD all -- 93.0.0.0/8 192.168.1.0/24
    LD all -- 94.0.0.0/8 192.168.1.0/24
    LD all -- 95.0.0.0/8 192.168.1.0/24
    LD all -- 96.0.0.0/8 192.168.1.0/24
    LD all -- 97.0.0.0/8 192.168.1.0/24
    LD all -- 98.0.0.0/8 192.168.1.0/24
    LD all -- 99.0.0.0/8 192.168.1.0/24
    LD all -- 100.0.0.0/8 192.168.1.0/24
    LD all -- 101.0.0.0/8 192.168.1.0/24
    LD all -- 102.0.0.0/8 192.168.1.0/24
    LD all -- 103.0.0.0/8 192.168.1.0/24
    LD all -- 104.0.0.0/8 192.168.1.0/24
    LD all -- 105.0.0.0/8 192.168.1.0/24
    LD all -- 106.0.0.0/8 192.168.1.0/24
    LD all -- 107.0.0.0/8 192.168.1.0/24
    LD all -- 108.0.0.0/8 192.168.1.0/24
    LD all -- 109.0.0.0/8 192.168.1.0/24
    LD all -- 110.0.0.0/8 192.168.1.0/24
    LD all -- 111.0.0.0/8 192.168.1.0/24
    LD all -- 112.0.0.0/8 192.168.1.0/24
    LD all -- 113.0.0.0/8 192.168.1.0/24
    LD all -- 114.0.0.0/8 192.168.1.0/24
    LD all -- 115.0.0.0/8 192.168.1.0/24
    LD all -- 116.0.0.0/8 192.168.1.0/24
    LD all -- 117.0.0.0/8 192.168.1.0/24
    LD all -- 118.0.0.0/8 192.168.1.0/24
    LD all -- 119.0.0.0/8 192.168.1.0/24
    LD all -- 120.0.0.0/8 192.168.1.0/24
    LD all -- 121.0.0.0/8 192.168.1.0/24
    LD all -- 122.0.0.0/8 192.168.1.0/24
    LD all -- 123.0.0.0/8 192.168.1.0/24
    LD all -- 124.0.0.0/8 192.168.1.0/24
    LD all -- 125.0.0.0/8 192.168.1.0/24
    LD all -- 126.0.0.0/8 192.168.1.0/24
    LD all -- 127.0.0.0/8 192.168.1.0/24
    LD all -- 169.254.0.0/16 192.168.1.0/24
    LD all -- 172.16.0.0/12 192.168.1.0/24
    LD all -- 173.0.0.0/8 192.168.1.0/24
    LD all -- 174.0.0.0/8 192.168.1.0/24
    LD all -- 175.0.0.0/8 192.168.1.0/24
    LD all -- 176.0.0.0/8 192.168.1.0/24
    LD all -- 177.0.0.0/8 192.168.1.0/24
    LD all -- 178.0.0.0/8 192.168.1.0/24
    LD all -- 179.0.0.0/8 192.168.1.0/24
    LD all -- 180.0.0.0/8 192.168.1.0/24
    LD all -- 181.0.0.0/8 192.168.1.0/24
    LD all -- 182.0.0.0/8 192.168.1.0/24
    LD all -- 183.0.0.0/8 192.168.1.0/24
    LD all -- 184.0.0.0/8 192.168.1.0/24
    LD all -- 185.0.0.0/8 192.168.1.0/24
    LD all -- 186.0.0.0/8 192.168.1.0/24
    LD all -- 187.0.0.0/8 192.168.1.0/24
    LD all -- 189.0.0.0/8 192.168.1.0/24
    LD all -- 190.0.0.0/8 192.168.1.0/24
    LD all -- 192.0.2.0/24 192.168.1.0/24
    LD all -- 192.168.0.0/16 192.168.1.0/24
    LD all -- 197.0.0.0/8 192.168.1.0/24
    LD all -- 198.18.0.0/15 192.168.1.0/24
    LD all -- 223.0.0.0/8 192.168.1.0/24
    LD all -- BASE-ADDRESS.MCAST.NET/3 192.168.1.0/24
    LD tcp -- anywhere 192.168.1.0/24 tcp dpt:31337 limit: avg 2/min burst 5
    LD udp -- anywhere 192.168.1.0/24 udp dpt:31337 limit: avg 2/min burst 5
    LD tcp -- anywhere 192.168.1.0/24 tcp dpt:33270 limit: avg 2/min burst 5
    LD udp -- anywhere 192.168.1.0/24 udp dpt:33270 limit: avg 2/min burst 5
    LD tcp -- anywhere 192.168.1.0/24 tcp dpt:1234 limit: avg 2/min burst 5
    LD tcp -- anywhere 192.168.1.0/24 tcp dpt:6711 limit: avg 2/min burst 5
    LD tcp -- anywhere 192.168.1.0/24 tcp dpt:16660 flagsYN,RST,ACK/SYN limit: avg 2/min burst 5
    LD tcp -- anywhere 192.168.1.0/24 tcp dpt:60001 flagsYN,RST,ACK/SYN limit: avg 2/min burst 5
    LD tcp -- anywhere 192.168.1.0/24 tcp dpts:12345:12346 limit: avg 2/min burst 5
    LD udp -- anywhere 192.168.1.0/24 udp dpts:12345:12346 limit: avg 2/min burst 5
    LD tcp -- anywhere 192.168.1.0/24 tcp dpt:135 limit: avg 2/min burst 5
    LD udp -- anywhere 192.168.1.0/24 udp dpt:135 limit: avg 2/min burst 5
    LD tcp -- anywhere 192.168.1.0/24 tcp dpt:ingreslock limit: avg 2/min burst 5
    LD tcp -- anywhere 192.168.1.0/24 tcp dpt:27665 limit: avg 2/min burst 5
    LD udp -- anywhere 192.168.1.0/24 udp dpt:27444 limit: avg 2/min burst 5
    LD udp -- anywhere 192.168.1.0/24 udp dpt:31335 limit: avg 2/min burst 5
    LD all -- BASE-ADDRESS.MCAST.NET/8 anywhere
    LD all -- anywhere BASE-ADDRESS.MCAST.NET/8
    LD all -- 255.255.255.255 anywhere
    LD all -- anywhere 0.0.0.0
    DROP all -- 10.0.0.255 anywhere
    DROP all -- 0.0.0.0 anywhere
    DROP all -- anywhere 255.255.255.255
    DROP all -- anywhere 0.0.0.0
    LD all -- anywhere anywhere state INVALID
    LD all -f anywhere anywhere limit: avg 10/min burst 5
    ACCEPT tcp -- anywhere anywhere tcp dpts:bootps:bootpc
    ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
    ACCEPT tcp -- anywhere 192.168.1.0/24 tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN
    ACCEPT tcp -- anywhere 192.168.1.0/24 tcp dpt:ftp
    ACCEPT tcp -- anywhere 192.168.1.0/24 tcp dptsh
    ACCEPT tcp -- anywhere 192.168.1.0/24 tcp dpt:http
    ACCEPT tcp -- anywhere 192.168.1.0/24 tcp dpt:https
    ACCEPT tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
    ACCEPT udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
    ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
    ACCEPT udp -- anywhere anywhere udp dpt:microsoft-ds
    LD tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
    ACCEPT tcp -- anywhere anywhere tcp sptsh dpts:login:65535 flags:!SYN,RST,ACK/SYN state RELATED
    ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:1023:65535 flags:!SYN,RST,ACK/SYN state RELATED
    STATE tcp -- anywhere 192.168.1.0/24 tcp dpts:1024:65535
    ACCEPT udp -- anywhere 192.168.1.0/24 udp dpts:1023:65535
    LD all -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy DROP)
    target prot opt source destination
    UNCLEAN all -- anywhere anywhere unclean
    ACCEPT all -- anywhere anywhere
    LD tcp -- 192.168.1.0/24 anywhere tcp dpt:31337 limit: avg 2/min burst 5
    LD udp -- 192.168.1.0/24 anywhere udp dpt:31337 limit: avg 2/min burst 5
    LD tcp -- 192.168.1.0/24 anywhere tcp dpt:33270 limit: avg 2/min burst 5
    LD udp -- 192.168.1.0/24 anywhere udp dpt:33270 limit: avg 2/min burst 5
    LD tcp -- 192.168.1.0/24 anywhere tcp dpt:1234 limit: avg 2/min burst 5
    LD tcp -- 192.168.1.0/24 anywhere tcp dpt:6711 limit: avg 2/min burst 5
    LD tcp -- 192.168.1.0/24 anywhere tcp dpt:16660 flagsYN,RST,ACK/SYN limit: avg 2/min burst 5
    LD tcp -- 192.168.1.0/24 anywhere tcp dpt:60001 flagsYN,RST,ACK/SYN limit: avg 2/min burst 5
    LD tcp -- 192.168.1.0/24 anywhere tcp dpts:12345:12346 limit: avg 2/min burst 5
    LD udp -- 192.168.1.0/24 anywhere udp dpts:12345:12346 limit: avg 2/min burst 5
    LD tcp -- 192.168.1.0/24 anywhere tcp dpt:135 limit: avg 2/min burst 5
    LD udp -- 192.168.1.0/24 anywhere udp dpt:135 limit: avg 2/min burst 5
    LD tcp -- 192.168.1.0/24 anywhere tcp dpt:ingreslock limit: avg 2/min burst 5
    LD tcp -- 192.168.1.0/24 anywhere tcp dpt:27665 limit: avg 2/min burst 5
    LD udp -- 192.168.1.0/24 anywhere udp dpt:27444 limit: avg 2/min burst 5
    LD udp -- 192.168.1.0/24 anywhere udp dpt:31335 limit: avg 2/min burst 5
    LD all -- BASE-ADDRESS.MCAST.NET/8 anywhere
    LD all -- anywhere BASE-ADDRESS.MCAST.NET/8
    LD all -- 255.255.255.255 anywhere
    LD all -- anywhere 0.0.0.0
    DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
    all -- anywhere anywhere TTL match TTL == 64
    ACCEPT icmp -- 192.168.1.0/24 anywhere
    ACCEPT all -- anywhere anywhere

    Chain LD (146 references)
    target prot opt source destination
    LOG all -- anywhere anywhere LOG level warning
    DROP all -- anywhere anywhere

    Chain SANITY (0 references)
    target prot opt source destination
    LD all -- anywhere anywhere

    Chain STATE (1 references)
    target prot opt source destination
    LD all -- anywhere anywhere state NEW
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    LD all -- anywhere anywhere

    Chain UNCLEAN (2 references)
    target prot opt source destination
    LD all -- anywhere anywhere

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •