ssh times out trying to login to machine outside the LAN

Joel Rees joel_rees at sannet.ne.jp
Sat Mar 18 22:49:18 UTC 2006


On 2006.3.18, at 06:24 PM, James Wilkinson wrote:

> Joel Rees wrote:
>> I'm pretty sure the ssh configurations are all pretty much stock.
>> Just looked at the configuration files and didn't see anything that I
>> can recall changing.
>>
>> I can ssh in and out on the local LAN.
>>
>> My cohorts at a different company say they can log in and out. (The
>> box in question is at yet a third company.) They had the admin on the
>> box in question check the logs, and that admin suggested that my
>> company's firewall was to blame. (3rd information.)
>>
>> So I brought my workstation home and set it running static local IP
>> here, and NAT redirected port 22 to the workstation. Still get
>> timeouts. But, as I say, I can ssh both in and out of the box on the
>> local LAN, challenge, password, etc.
>
> I'm a bit confused about that last paragraph.

You, too? (Sorry.)

>  You're trying to SSH
> *from* a box at work *to* your workstation (which is temporarily at
> home)? (You're not trying to connect to the computer at the third
> company from home?)

It's the latter case, trying to connect to the third company's box from 
either home or work.

They have another test server set up, and I can't connect to that one 
from work, but I can connect from home.

> Try pinging the server in question.

They've shut ping off on the box. (Since I don't talk directly with 
them, I can't really second guess them on that.)

> Run
> traceroute server.example.com
> which will show you if your packets are actually making it to the
> server in question.

Well, dns lookup finds them. traceroute loses it's way about the 14th 
hop. Web browser finds their apache test page. ssh does not complain 
about lack of resolution, it just hangs.

> Try
> telnet google.com 80
> and see if you get a connection. (Won't work if you're forced to use a
> proxy, won't help if there's a transparent proxy in the way).

Connects, and GET / HTTP/1.0 gets the apache test page. No proxies as 
far as I know, but then again if I were guessing I'd guess they've got 
the box I'm trying to connect to behind a NATting firewall.

(Sorry I'm being vague, but I really don't want to mess up their 
efforts at security, even if I would not do it that way. And, yes, I 
know that the very points I'm being vague about are the ones where 
things are probably going south for my attempts to connect. But I need 
to be able to tell my bosses so with confidence.)

> It is quite possible, after all, that your company firewall is to 
> blame.
> If the admins have set it up on a "block everything and unblock when
> needed" basis, this might be intentional.

That's what the second company (the one we work directly with) was 
suggesting, I believe. And, yes, it is intentional. The third company 
is limiting ssh by IP. They were supposed to have opened the firewall 
for the second company's contractors (including my company), but that 
doesn't seem to be working. The second company's people are (if I 
understand it) able to connect.

Oh, I get the same results from my Mac boxes at home, so now I'm pretty 
sure the problem is not with the FC settings.

Thanks.




More information about the fedora-list mailing list