Unable to SSH from the internet

[RichoDemus]

Hi, I just started my B3 for the first time and I've been looking through some of the settings and disabled some services and stuff (like ftp etc) but I seem to be unable to SSH to my b3 from the internet, I'm able to login from the LAN without any problems at all, and http://www.canyouseeme.org/ tells me that I have a service running on port 22,

If I go to Network-> Firewall in the web gui, "SSH (Port 22)" is enabled under "Allow external (WAN) access to B3 services" and I have not created any further firewall rules. I've disabled all the other pre-set rules except ping.

shell login is allowed for my user
I'm not behind a router, my B3 is connected directly into the operators network.

I can access the internet from inside the LAN so B3 has internet connectivity.

Anyone has any ideas? I tried searching the forums here but without any luck

[EDIT: It seems that I'm not authorized to send PMs yet ]

[johannes]

This usually works. What happens when you try? Does the connection time out, or do you get some log in error? Please give as much details as you can. Thanks.

[Edit: If you PM me your easyfind name, and creat a test user for me, I can try to figure it out]

[RichoDemus]

Yeah, it just says connection timed out,

I'll PM you

[RichoDemus]

I managed to solve it, here's how I did it:

I both opened the SSH port in "Allow external (WAN) access to B3 services" AND created a firewall rule to forward it to the server under "Advanced Firewall settings"

Am I supposed to have to do this or is this a sign that something else is amiss?

[RandomUsername]

Um, yeah. Thats not right. The B3 is the first device on you network? Meaning you don't have another router/firewall between it and the Internet right?

[RichoDemus]

Yes, as I mentioned in my first post, I have nothing between my B3 and the internet, here's my iptables, thought it might help:


richo@b3:~/$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT tcp -- anywhere RichoDemus.local tcp dpt:http-alt
ACCEPT tcp -- anywhere b3.local tcp dpt:ssh


Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[johannes]

There is a button in the web UI for the file manager that says Allow external (WAN) access to B3 services: SSH that you can turn on, so you don't have to edit the firewall config manually.. CHeck admin -> network -> firewall.

[RichoDemus]

Yes I know, I haven't used iptables to do anything besides printing out the rules. I've tried simply enabling SSH in the GUI but it wasn't enough, I also had to forward port 22 to 192.168.0.1 (bubba)

I simply posted the iptables rules because it gives a nice overview

[johannes]

Ah, sorry, didn't read properly. Yes, pressing that SSH button is enough, it puzzles me that you didn't get it working without creating an additional local forward. Tried myself now and I can't reproduce this...

[RichoDemus]

Yeah it's weird, but atleast I've gotten it to work now

But I have a problem with a VOIP server called mumble which I suspect might be network related. so I hope it's not some defect or anything.

I have done a full system re-installation via the usb-thing and the problem is still there.

johannes, can you post the iptables list from a bubba without the forward rule that you can SSH to from the internet?

[johannes]

Code: Select all

Chain INPUT (policy DROP)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[RichoDemus]

weird, I'll have to remove the forward rule and try again. When I get home, I don't dare edit the SSH rules remotely

EDIT: I managed to get it sorted out now, it seems like you need to reboot the server (or maybe just bring down the network interfaces?) after certain firewall changes, I removed the port forwarding and restarted b3 and now it works. Both SSH from the internet with only the GUI SSH firewall rule and the VOIP server also works as it should

Thanks for your assistance johannes