No route to host, but can ping [overthewire games]

Question

I'm trying to solve some IT puzzles about crypto: http://overthewire.org/wargames/krypton/krypton0.html.

But I failed just with the very first exercise. I decoded the password with openssl (that was easy) but when I try to connect to the machine using ssh, it shows the below message:

ssh: connect to host krypton.labs.overthewire.org port 2222: No route to host

I tried to ping the machine:

ping krypton.labs.overthewire.org
PING otw.cracksucht.de (176.9.9.172) 56(84) bytes of data.
64 bytes from static.172.9.9.176.clients.your-server.de (176.9.9.172): icmp_seq=1 ttl=53 time=54.5 ms
64 bytes from static.172.9.9.176.clients.your-server.de (176.9.9.172): icmp_seq=2 ttl=53 time=54.0 ms
64 bytes from static.172.9.9.176.clients.your-server.de (176.9.9.172): icmp_seq=3 ttl=53 time=54.6 ms
^C
--- otw.cracksucht.de ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 54.054/54.411/54.626/0.254 ms

So it responds. I also tried to ssh to the machine using its IP:

dig krypton.labs.overthewire.org

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> krypton.labs.overthewire.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38947
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;krypton.labs.overthewire.org.  IN      A

;; ANSWER SECTION:
krypton.labs.overthewire.org. 119 IN    CNAME   leelo.overthewire.org.
leelo.overthewire.org.  119     IN      CNAME   otw.cracksucht.de.
otw.cracksucht.de.      2325    IN      A       176.9.9.172

;; Query time: 66 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Oct 16 19:07:19 CEST 2017
;; MSG SIZE  rcvd: 124

And then

ssh [email protected] -p 2222
ssh: connect to host 176.9.9.172 port 2222: No route to host
ssh 176.9.9.172 -p 2222
ssh: connect to host 176.9.9.172 port 2222: No route to host
ssh 172.9.9.176 -p 2222
ssh: connect to host 172.9.9.176 port 2222: Connection timed out
ssh 176.9.9.172 -p 2222
ssh: connect to host 176.9.9.172 port 2222: No route to host

What is wrong? Is it the part of the exercise (which I do not understand at all)? Or its just does not work? Thank you.

Answer 1

You definitely has firewall issue between you and remote host you trying to access.

You can get ping response from remote host because ICMP traffic are allowed by firewall but TCP traffic has some blocking based on rules on firewall. Try contacting different service on remote host like http or https or ftp etc if possible.

You can use 'traceroute' program to see if UDP traffic is allowed. Some Linux distribution comes with SSH service dropped by default firewall rules. Best way is to contact remote host admin/user to be sure that your IP is allowed.

Are you sure remote host running. SSH service on port 2222 not 22 ?? You are connecting ssh on 2222 port with -p option on your command

Answer 2

Your "no route to host" while the machine responds to ping is a sign of a firewall that is denying you access but is informing you that it happened (i.e. with an ICMP message rather than just silent drop).

Check your outgoing firewall. If it isnt that then its blocked closer to the destination.

Answer 3

I encountered a similar situation： On a k8s hosts using flannel, podA can ping podB on the same host, but tcp connection was reset by a ICMP reset from cni0. iptables-save shows rule about k8s, and all of them works look fine. nft list ruleset shows rules made by firewalld:

table inet firewalld {

    chain filter_FORWARD {
        type filter hook forward priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
        jump filter_FORWARD_ZONES
        ct state invalid drop
        reject with icmpx admin-prohibited
    }

All works fine after stop the firewalld service: systemctl stop firewalld So, try to check if other service or kernel modules that may using netfiler as well.