General discussion

Locked

SSH from a forwarder isn't working

By cpfeiffe ·
Fact: Recently upgraded from RHEL3 to RHEL4. All was good before then. Problem started immediately after the upgrade.

Fact: The server always works fine when SSH connections are made directly to it

Fact: The server never works when SSH connections are made through the firewall/forwarder

Fact: The firewall/forwarder is SuSE Linux using iptables

Details:
After the upgrade, the SSH server stopped working remotely (from my home to the office). Snoop on the firewall and the SSH server show that my client connection is received by the firewall, natted, sent to the SSH server and received by the SSH server in less than 1.5 seconds. The SSH server never replies. After two additional attempts to connect the client times out. Why isn't the SSH server replying?

I turned on SSH debugging (sshd -d -d -d) and sent *.debug to /var/log/debug, but there is nothing in /var/log/debug. If the SSH server isn't replying shouldn't it log an issue?

I see that the problem is isolated to the forwarder, but I still go back to two things...
1) The only thing that changed was the SSH server and as soon as the upgrade completed it became a problem.
2) The forwarder is passing the traffic to the SSH server correctly. Nothing is different in this snoop v. the snoop we did a while back for another problem (happened to have some SSH traffic in it).

I even turned off iptables and relaxed all SSH security on the SSH server.

Any thoughts would be greatly appreciated.

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by stress junkie In reply to SSH from a forwarder isn' ...

Is your Red Hat server running a firewall? If it is then the dropped connection requests could be in the firewall log, not the sshd log.

An upgrade may wipe out any customizations that you had made. In this case if the Red Hat server is running a firewall it may be set to silently drop connect requests.

Or, the upgrade may have turned off your sshd service. See if sshd is running at all. See if the service is enabled in /etc/services. Walk through the entire process of setting sshd up on the Red Hat machine.

Upgrades can be a pain. I prefer a fresh install. That way you know that you have to do everything to customize the configuration. It's so easy to overlook something after an upgrade that a fresh install may be less work overall.

Collapse -

by stress junkie In reply to

I haven't forgotten about you. You're latest comment about turning off the server firewall anticipated my next suggestion. I'm going to do a little research. Hopefully I'll be inspired or someone else will have an idea for you. There has to be an answer.

Collapse -

by stress junkie In reply to

Back to log files for help. Increase your log level for sshd to DEBUG or higher. (/etc/ssh/sshd_config) Try the login and read the log file. It may send messages to /var/log/messages unless you have specified some other file. I'm thinking that the OS upgrade may have made a change to your original configuration. A log of messages from sshd during a failure should point to the problem especially when compared to messages of successful connections. Let me know how that turns out. I'm very interested in knowing what eventually works.

Collapse -

by stress junkie In reply to

Hello. Are you still there? Did you increase the log level for the sshd on the server? If you can see details of both successful and unsuccessful transactions then you will be better informed about exactly what is going wrong.

Collapse -

by cpfeiffe In reply to

Poster rated this answer.

Collapse -

by cpfeiffe In reply to SSH from a forwarder isn' ...

The server is running a firewall, but as noted I turned it off and it didn't help. The SSH service is running because as noted I can connect locally. I will enable logging for ssh in iptables to see if that catches any additional information, but since turning off iptables doesn't make a difference I doubt it will catch anything other than that it accepted the packet. I think the problem is with the SSH service, but I do have the latest release and I can't find anything wrong.

Collapse -

by cpfeiffe In reply to SSH from a forwarder isn' ...

Good call on adding the logging to iptables. But now I'm more confused. iptables does capture outbound "response" packets from the SSH server. However, there doesn't seem to be a problem. The log entries look just like the ones for an internal server that is working. Yet, if I turn iptables off it still doesn't work so iptables isn't hurting anything. Why would it get as far as iptables, but not to the NIC if the problem isn't iptables?

Collapse -

by Nico Baggus In reply to SSH from a forwarder isn' ...

might this be a routing issue on the SSH server?
Did you add the logging on the SSH server of the
firewall.forwarder?

(Are you able to ping/trraceroute to your home
address from the ssh server?)

Kind regards,
Nico Baggus

Collapse -

by cpfeiffe In reply to

Poster rated this answer.

Collapse -

by cpfeiffe In reply to SSH from a forwarder isn' ...

ping/trace work fine. Definitely a firewall problem. We brought a new server online and decided to test it as well to see if there would be a difference. Still the same thing. Works fine internally, but the forwarder through the firewall doesn't. Strange thing is iptables forwarders are pretty simple and I don't see anything wrong.

Back to Linux Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums