Strange port forwarding problem....

Visage · 17 Apr 2008 at 12:11

recently had to reset my modem/router to factory defaults, and now my home SSH connection doesnt work (see threads passim).

From my home PC i can SSH to localhost:443 no problem.

If I ssh to <mydomain>.dyndns.org then my router log has 'Incoming connection from <my public ip address> to <LAN IP address>:443 Action: accept, yet the connection times out.

I dont understand why my router is claiming to accept the connection (and forward it to port 443, yet the connection times out.

Anyone got any thoughts?

mynsa · 17 Apr 2008 at 15:31

have you maybe become confused with the port forward ports?

is the router set up to accept on port 22 but nat through to a local ip and port 443, or have your configured port 443 as a passthrough to port 443 on your local computer?

also where is the default gateway set to on your local computer?

Visage · 17 Apr 2008 at 15:32

mynsa said:
have you maybe become confused with the port forward ports?

is the router set up to accept on port 22 but nat through to a local ip and port 443, or have your configured port 443 as a passthrough to port 443 on your local computer?

also where is the default gateway set to on your local computer?

Default gateway is the router, and 443 is set to be forwarded to 443 on my PC.

Its verr strange.

Ethics · 17 Apr 2008 at 15:34

443 isn't the standard SSH port... .22 is as stated above. If your SSH service uses the default port you will need to forward port 22 to 443 on the IP

mynsa · 17 Apr 2008 at 15:37

is the ssh server listening on port 443 for incoming connections, if not you might need to nat the 443 connection to port 22 locally, or reconfigure sshd_config to listen on port 443?

mynsa · 17 Apr 2008 at 15:38

you could use a program like wireshark / ethereal to monitor traffic on your local workstation, see what is coming through the local computer?

Visage · 17 Apr 2008 at 15:42

My SSH is running on 443. As stated in the OP, i can SSH to localhost:443 without any problems.

Visage · 17 Apr 2008 at 15:44

mynsa said:
you could use a program like wireshark / ethereal to monitor traffic on your local workstation, see what is coming through the local computer?

Yeah - I think thats gonna be the next step.

My router logs say:

01 day 04:53:16 (since last boot) FIREWALL rule (1 of 1) : Protocol: TCP Src ip: xxx.xxx.xxx.xxx Src port: 54657 Dst ip: 192.168.1.65 Dst port: 443 Chain: forward_host_service Rule Id: 3 Action: accept

Which suggests to me that its matching the traffic to the rule I set up (192.168.1.65 is my PC), so the request is reaching the router, but despite the 'accept' message its blocking it.

mynsa · 17 Apr 2008 at 15:47

have you configured a source ip address for the NAT rule? maybe try removing that?

Visage · 17 Apr 2008 at 15:50

mynsa said:
have you configured a source ip address for the NAT rule? maybe try removing that?

Fairly certain I didnt (im at work at the mo, so cant check).

I had it all working prior to doing a factory reset, and I cant remember having any issues - was a 2 minute job before....

Curiosityx · 17 Apr 2008 at 15:55

It sounds like your router supports external web access to the router via SSL for secure configuration changes.

Turn off the ability to access the router from external addresses.

As you have changed the standard port that SSH uses it's conflicting with another well known port 443 HTTPs/SSL.

Regards

mynsa · 17 Apr 2008 at 15:56

id check the source stuff, probably not as you said it had accepted it (Action: accept)

Also check with tcpdump / ethereal / wireshark to see if the packets are reaching the local machine.

You will stilll be able to test this locally using your external ip address, as it will get to router, match the ip on the interface and hit the nat rule and get forwarded on to local machine.

--edit ignore me, i think post above me got it, i never thought about that

Visage · 17 Apr 2008 at 15:57

Curiosityx said:
It sounds like your router supports external web access to the router via SSL for secure configuration changes.

Turn off the ability to access the router from external addresses.

As you have changed the standard port that SSH uses it's conflicting with another well known port 443 HTTPs/SSL.

Regards

I dont think thats the issue, as it was working fine prior to the reset, and I didnt have to do such a thing when I originally set it up.

Curiosityx · 17 Apr 2008 at 16:00

Visage said:
I dont think thats the issue, as it was working fine prior to the reset, and I didnt have to do such a thing when I originally set it up.

The only reason i mention it is that it may well be enabled by default and activated following a reset of the device, just trying to nail the problem down. Personally i would just use the standard port for SSH 22

Visage · 17 Apr 2008 at 16:01

Curiosityx said:
The only reason i mention it is that it may well be enabled by default and activated following a reset of the device, just trying to nail the problem down. Personally i would just use the standard port for SSH 22

The problem is that im accessing it through a rather restrictive proxy that doesnt allow connections on port 22 - hence me running it on the https port.

Visage · 17 Apr 2008 at 20:11

Unbelievable. Windows firewall was blocking the connection...

Wireshark was showing a single SYN packet arriving each time i tried a connect, so I checked the security centre. I've always had windows firewall turned off, so I can only assume that a rogue update had turned it back on...oh well.