Can't connect to SFTP (openSSH) server from WAN

Issues related to configuring your network
Post Reply
BrainTrance
Posts: 3
Joined: 2020/02/14 14:56:18

Can't connect to SFTP (openSSH) server from WAN

Post by BrainTrance » 2020/02/14 15:50:54

Frequent question I know, I searched the forum for wanswers but I didn't make it.

I run CentOS 7 on a HP ProLiant MicroServer.
Using my internal IP works fine, but using my public IP doesn't work. I use FileZilla client and get:
"Connection timed out after 20 seconds of inactivity"

I port forwarded a port on my router to port 22 where my server listens.
I even asked my ISP to disable CGN from my internet connection.

This is what service sshd status gives:

Code: Select all

Feb 14 13:25:39 localhost.localdomain systemd[1]: Starting OpenSSH server daemon...
Feb 14 13:25:39 localhost.localdomain sshd[949]: Server listening on 0.0.0.0 port 22.
Feb 14 13:25:39 localhost.localdomain sshd[949]: Server listening on :: port 22.
Feb 14 13:25:39 localhost.localdomain systemd[1]: Started OpenSSH server daemon.
There is an enp2s0 interface running which I suppose it's my ethernet, a "lo" which I don't know what is it, and virbr0.

And that's the list of my firewall's rules:

Code: Select all

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0
  sources: 
  services: ssh
  ports: 22/tcp
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
What am I missing here?
Top
User avatar
TrevorH
Site Admin
Posts: 33218
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Can't connect to SFTP (openSSH) server from WAN

Post by TrevorH » 2020/02/14 16:42:07

The best way to check this is to install a network packet sniffer like tcpdump or wireshark and then run something like tcpdump not net 192.168.1.0/24 and port 22 -n -nn -l -i enp2s0 and then try to connect from outside to it.

I assume that you will be running this via an ssh session from your local LAN which is why I added the "not net 192.168.1.0/24" bit there and you will need to adjust that to be your own local subnet. Without that, it will catch ssh packets for the session you're currently connected with and dump those to your ssh session which will then be captured and dumped to your ssh session (repeat until al your bandwidth is used up and your machine grinds to a halt).

As long as you've excluded your own ssh session from that command, you should then be able to see all packets on port 22 that arrive on interface enp2s0. If you do not see any then either your forwarding rules on your router are wrong or your ISP is blocking port 22 traffic before it reaches you. If you didn't exclude your local subnet then as soon as you run that command it will loop like crazy and you may even need to reboot to get it back though hopefully ctrl-c will work.

If you do see the packets arriving then they are either being blocked by your firewalld (tcpdump sees them before firewalld processes them) or you have something wrong in your sshd config that stops it from accepting them.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Top
BrainTrance
Posts: 3
Joined: 2020/02/14 14:56:18

Re: Can't connect to SFTP (openSSH) server from WAN

Post by BrainTrance » 2020/02/14 17:36:49

there and you will need to adjust that to be your own local subnet.
you mean I have to replace 192.168.1.0/24 with the internal ip of the device that runs the SSH service?

If yes, I receive packets, it's something like this:

Code: Select all

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:30:13.092371 IP 192.168.1.6.vcom-tunnel > st-routers.mcast.net.vcom-tunnel: UDP, length 171
19:30:13.533298 ARP, Request who-has 192.168.1.41 tell 192.168.1.5, length 46
19:30:13.848691 ARP, Request who-has _gateway tell 192.168.1.6, length 46
19:30:14.630497 IP 192.168.1.6.55066 > 192.168.1.255.15600: UDP, length 35
19:30:15.098829 IP 192.168.1.6.vcom-tunnel > st-routers.mcast.net.vcom-tunnel: UDP, length 171
19:30:15.903644 ARP, Request who-has _gateway tell 192.168.1.6, length 46
If you mean using 192.168.1.0/24 as is, I get:

Code: Select all

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:34:11.156638 IP6 fe80::21f3:f561:ba6:bf32 > ff02::1:ff8b:5a5a: ICMP6, neighbor solicitation, who has fe80::94d9:123b:748b:5a5a, length 32
19:34:12.041091 IP6 fe80::21f3:f561:ba6:bf32 > ff02::1:ff8b:5a5a: ICMP6, neighbor solicitation, who has fe80::94d9:123b:748b:5a5a, length 32
19:34:13.041412 IP6 fe80::21f3:f561:ba6:bf32 > ff02::1:ff8b:5a5a: ICMP6, neighbor solicitation, who has fe80::94d9:123b:748b:5a5a, length 32
19:34:13.167800 IP6 fe80::21f3:f561:ba6:bf32 > ff02::1:ff55:e31f: ICMP6, neighbor solicitation, who has fe80::d5c0:d6e4:ce55:e31f, length 32
19:34:13.168111 IP6 fe80::21f3:f561:ba6:bf32 > ff02::1:ffeb:5908: ICMP6, neighbor solicitation, who has fe80::88c1:8dbc:75eb:5908, length 32
19:34:13.168713 IP6 fe80::21f3:f561:ba6:bf32 > ff02::1:ffdb:9eba: ICMP6, neighbor solicitation, who has fe80::ff:c1c2:8db:9eba, length 32
Executing port 22 -n -nn -l -i enp2s0 results in no packets.
Top
BrainTrance
Posts: 3
Joined: 2020/02/14 14:56:18

Re: Can't connect to SFTP (openSSH) server from WAN

Post by BrainTrance » 2020/02/15 00:33:18

I did it. Everything was actually fine, except from an enabled VPN switch in my router... nice, very nice...
Top
Post Reply

Return to “CentOS 7 - Networking Support”