2

As the title says, I am trying to create a home Linux server, and everything was going fine, including when I ssh into the server over LAN from both my laptop and my desktop.

I am a total beginner when it comes to networking and server administration, but have dabbled in Linux for a while now.

The server is an old MacBook from like 2014 with Linux server 22.04 installed. I connected it to my ISP router via a usb-to-ethernet adapter, since there is no Ethernet port on the MacBook.

Things grinded to a halt when I tried to ssh over WAN using my laptop connected to my phone's internet. I systematically get a timeout, no matter what I try.

I have been on this issue for a few days now, and I'm starting to lose it a little. Any suggestions as to what could cause the timeout? Is it a Firewall issue? Could it come from the USB to ethernet adapter? I have set up a different port for ssh over LAN, is that the problem? The only thing I haven't tried from the online recommandations is to create a VPN. Is that going to solve my problem?

What I've tried so far:

I ssh to a previously forwarded port

$ ssh -vvv -p FORWARDEDPORTNUMBER [email protected]

Output:

OpenSSH_8.9p1 Ubuntu-3ubuntu0.4, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname public.ip.of.my.router is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/someguy/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/someguy/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to public.ip.of.my.router [public.ip.of.my.router] port FORWARDEDPORTNUMBER .
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: connect to address public.ip.of.my.router port FORWARDEDPORTNUMBER : Connection timed out
ssh: connect to host public.ip.of.my.router port FORWARDEDPORTNUMBER : Connection timed out

Is it portforwarding done wrong?

Nope, using tools such as https://www.yougetsignal.com/tools/open-ports/, The port is indeed open

~$ sudo netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:6968            0.0.0.0:*               LISTEN      961/sshd: /usr/sbin
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      817/systemd-resolve
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      1002/smbd
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      1002/smbd
tcp        0      0 0.0.0.0:1445            0.0.0.0:*               LISTEN      961/sshd: /usr/sbin
tcp6       0      0 :::FORWARDEDPORTNUMBER  :::*                    LISTEN      961/sshd: /usr/sbin
tcp6       0      0 :::139                  :::*                    LISTEN      1002/smbd
tcp6       0      0 :::80                   :::*                    LISTEN      878/apache2
tcp6       0      0 :::445                  :::*                    LISTEN      1002/smbd
tcp6       0      0 :::1445                 :::*                    LISTEN      961/sshd: /usr/sbin

Does it come from the firewall?

I have tried disabling the server's firewall completely (I use ufw, so sudo ufw disable does the trick), as well as going on the lowest possible security on my ISP router

Pinging the server works just fine

Telnet also works

I think? I'm not 100% sure of what is going on here, I was just following recommendations online and find this

$curl -v telnet://public.ip.of.my.router:FORWARDEDPORTNUMBER 
*   Trying public.ip.of.my.router:FORWARDEDPORTNUMBER...
* Connected to public.ip.of.my.router (public.ip.of.my.router) port FORWARDEDPORTNUMBER (#0)
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4
some user input
Invalid SSH identification string.
some more user input
* Closing connection 0

nmapping shows the port is filtered

nmap public.ip.of.my.router -pFORWARDEDPORTNUMBER 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-05 19:50 CEST
Nmap scan report for public.ip.of.my.router
Host is up (0.19s latency).

PORT                    STATE   SERVICE
FORWARDEDPORTNUMBER/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 2.09 seconds

ssh configuration

(/etc/ssh/sshd_config) is listening to the correct port ssh key authentification

I use ssh key authentification that works just fine over LAN on the same laptop

Improve this question
5
  • You say that the ssh program gets a timeout connecting to address x port y, but curl being run from the same computer is able to connect to address x port y with no trouble? If that's correct, something very unusual is going on. Start by confirming you're using the same address and port with both programs. And try using nc instead of curl if you have it: "nc the.address theport"
    – Kenster
    Commented Oct 6, 2023 at 21:07
  • That's exactly what I'm saying. That's why I've been lowkey going mad over this. Trying what you suggested as soon as I get home.
    – Jules Raschilas
    Commented Oct 6, 2023 at 23:36
  • Nc works as well! I get the same prompt that I do when I use curl
    – Jules Raschilas
    Commented Oct 7, 2023 at 13:28
  • The "SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4" string is a version string sent by the ssh server process when a client connects. If you're getting that from curl or nc, then you're successfully connecting to the ssh server process. The question is why one program times out while others connect.
    – Kenster
    Commented Oct 7, 2023 at 16:53
  • As a hunch, try adding running ssh with the option "-o IPQoS=none". If that doesn't work, see if you have a ~/.ssh/config file or an ssh_config file (not sshd_config) in your /etc/ directory. There could be directives in one of these files which changes how ssh is trying to connect to the server.
    – Kenster
    Commented Oct 7, 2023 at 16:58

2 Answers 2

Reset to default
0

Do you access to your ISP's router interface? My best guess is that you will not only need forwarding rules for the firewall, but also a matching NAT rule. When I add a firewall rule to pfSense, it adds a corresponding NAT rule.

Improve this answer
2
  • Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.
    – Community Bot
    Commented Oct 6, 2023 at 15:40
  • Actually I forgot to mention it, but I also did that. My router has a NAT/PAT tab on its interface and i added one for ssh and the port.
    – Jules Raschilas
    Commented Oct 6, 2023 at 19:25
0

Found the culprit, it was my ISP router. Turns out there is another setting which is specific to this router, and I couldn't find anything about it online.

Improve this answer
3
  • What setting was it?
    – End Antisemitic Hate
    Commented Oct 13, 2023 at 10:46
  • It's all in French, but what fixed it was to 'add a custom rule' to 'redirect protocols' and 'choose protocols that are not blocked by the firewall'. I have a Livebox fibre from the French ISP Orange
    – Jules Raschilas
    Commented Oct 13, 2023 at 11:03
  • 1
    Merci pour les détails!
    – End Antisemitic Hate
    Commented Oct 13, 2023 at 11:09

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .