...making Linux just a little more fun!
raj [raj at technofina.com]
Wed, 29 Nov 2006 15:20:39 -0500
Hi,
My Name is Raj and i work as a technical recruiter in a software consulting firm.
At our office we have a Red hat Linux based system at our office which we use to train students on java/j2ee, the problem is that students are able to access the linux server(using ssh) from within the office intranet, but not via internet from their homes. They get a pop up from the ssh client saying that "the host x.x.x.x is unreachable. the host may be down, or there may be a problem with the network connection. some times the problem is caused by a misconfigured firewall"
The students are able to ping the server(we have a static IP assigned to us by the ISP) from their homes. I need your help in resolving the above problem.BTW the server is behind two switches, the first witch is connected to the DSL modem provided by the ISP ,and i have set the required port forwarding settings
Thanks in advance
Thanks,
Raj
Technical Recruiter
Karl-Heinz Herrmann [kh1 at khherrmann.de]
Wed, 29 Nov 2006 23:01:18 +0100 (MET)
On Wed, 29 Nov 2006 15:20:39 -0500 "raj" <[email protected]> wrote:
> internet from their homes. They get a pop up from the ssh client > saying that "the host x.x.x.x is unreachable. the host may be down, or > there may be a problem with the network connection. some times the > problem is caused by a misconfigured firewall" > ... > BTW the server is behind two switches, the first witch > is connected to the DSL modem provided by the ISP ,and i have set the > required port forwarding settingsThanks in advance
Hm... check if the connections attempts actually make it to the host (see loglevel of sshd, syslog). Even default loglevel should log the unsuccessful attempt and give probably a reason why it was denied. Dito if its the firewall. On debian its /var/log/syslog -- Red Hat will have something similiar.
If you dont see log entry from outside but you see log entries from inside the connection is blocked at ISP or in the switches. If it makes it to your host it's blocked by some permission restriction on the host itself.
K.-H.
Karl-Heinz Herrmann [kh1 at khherrmann.de]
Wed, 29 Nov 2006 23:03:00 +0100 (MET)
And one other hint: Your switches are not by any chance NATing? That would explain a working ping as the switch/router itself might answer the ping, but you never make it through the NAT with a ssh, because that port is not open on the router.
K.-H.
raj [raj at technofina.com]
Thu, 30 Nov 2006 19:22:50 -0500
Thanks Karl And benjamin, for the info . I tried doing the following
[root@Sai ~]# nmap 127.0.0.1 Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2006-11-27 19:07 EST Interesting ports on localhost.localdomain (127.0.0.1): (The 1653 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 111/tcp open rpcbind 199/tcp open smux 631/tcp open ipp 819/tcp open unknown 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 0.280 seconds [root@Sai ~]#BTW i think i forgot to include info about my network architecture . We have a static IP given by my ISP(verizon) and its different from 70.86.149.8(which is the IP of my mail/domain host provider). its 68.236.165.69
as i have told before We are connected to the internet via a DSL connection provided to us by our ISP, and the DSl modem is connected to one 8 port switch which is inturn connected to a 24 port switch, to which i have connected my server.
I will try calling the manufactur of my switch and try getting some help from him, i tried calling my ISp but apart from taking money they care $hit(we pay 70$'s/month for the static IP, but they would not help me with remote connection)
-Raj
Predrag Ivanovic [predivan at ptt.yu]
Fri, 1 Dec 2006 13:50:06 +0100
On Thu, 30 Nov 2006 19:22:50 -0500 raj wrote:
<snip>
Raj, friendly advice: do not top post, you are risking The Wrath of Thomas Oh, and get a decent/sane mail client, if you can, that would help... Pedja
-- "Yeah, but you're taking the universe out of context."
Kat Tanaka Okopnik [kat at linuxgazette.net]
Fri, 1 Dec 2006 07:15:34 -0800
On Fri, Dec 01, 2006 at 01:50:06PM +0100, Predrag Ivanovic wrote:
> On Thu, 30 Nov 2006 19:22:50 -0500 > raj wrote: > <snip> > Raj, friendly advice: do not top post, you are risking The Wrath of Thomas > Oh, and get a decent/sane mail client, if you can, that would help... > > Pedja
Well, I don't know about "The Wrath of Thomas", but I can vouch for "The Ire of Kat", given that I've just finished editing the Mailbag.
-- Kat Tanaka Okopnik Linux Gazette Mailbag Editor [email protected]
Karl-Heinz Herrmann [kh1 at khherrmann.de]
Fri, 1 Dec 2006 20:15:50 +0100 (MET)
Hi Raj,
On Thu, 30 Nov 2006 19:22:50 -0500 "raj" <[email protected]> wrote:
> Thanks Karl And benjamin, for the info . I tried doing the following > [root@Sai ~]# nmap 127.0.0.1 > > Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2006-11-27 19:07 EST > Interesting ports on localhost.localdomain (127.0.0.1): > (The 1653 ports scanned but not shown below are in state: closed) > PORT STATE SERVICE > 22/tcp open ssh
this tells you your box has an open ssh port reachable from yourself. It would be more interesting to see what nmap against your actual IP 68.236.165.69 tells when you run nmap inside your network and whats different if you run it from outside. Just now I can't even ping you, the IP seems down.
another tool which might be useful is traceroute. It sends IP-packets with a deliberatly low setting on the max-HOP counter. With that trick it can see which computer/router is 1,2,3,... etc hops away on a given connection. For exmple if I run traceroute (-p 22 sets that I want to use port 22 explicitly) against your IP I get:
/usr/sbin/traceroute -p 22 68.236.165.69 traceroute to 68.236.165.69 (68.236.165.69), 30 hops max, 40 byte packets 1 10.0.0.2 65.187 ms 64.616 ms 63.269 ms 2 82.119.162.241 61.871 ms 75.829 ms 74.663 ms 3 * * * 4 217.71.104.237 78.654 ms 77.257 ms 75.864 ms 5 ASH-1-pos000.us.lambdanet.net (81.209.156.30) 168.810 ms 186.964 ms 185.816 ms 6 pop1-ash-S7-0-1.atdn.net (66.185.138.241) 181.809 ms 180.439 ms 195.791 ms 7 Verizon.atdn.net (66.185.144.158) 169.589 ms 170.196 ms 168.842 ms 8 so-6-1-0-0.BB-RTR1.RES.verizon-gni.net (130.81.17.176) 167.724 ms 184.658 ms 183.542 ms 9 so-7-2-0-0.BB-RTR1.NY325.verizon-gni.net (130.81.8.254) 159.975 ms 177.493 ms 176.046 ms 10 * * * 11 A3-0-0-1710.DSL-RTR1.NY325.verizon-gni.net (130.81.8.198) 185.084 ms 184.548 ms 181.714 ms 12 * * *My own dynamic IP (of the DSL router) is right now 82.119.167.*, my internal ip is a 10.0.0.6 (dhcp gave that one to me) and you can see that the very first hop goes via 10.0.0.2 -- which is my DSL router. In between is a little switch but that is set to be transparent, i.e. it does not show up as a discrete step on the routing. The next hop is a 82.119.* which is probably the very first machine of my ISP I'm talking to. Hop nr 3 likes to stay anonymous and then in a few hops I reach a verizon server and after that the computers are not responding anymore (i.e. all the * * *).
If you run traceroute from ouside agains your IP at a time it is working, you should maybe see a trace of your last verizon box, then maybe your two routers show up (depends if they ignore these max HOP ping packets or not). Just maybe you see that one of your switches passes the packet to the wrong place.... Or you can verify the packets actually reach your box and are discarded right there. Since you said your ping is working, try with -p 22 and without -- the latter should send standard pings and be able to get through all the way.
K.-H.