Can ssh internally, but not externally

2

1

I have a Netgear C6300 (Firmware Version 2.01.14) router/modem, and I'm trying with all my might to ssh into my raspberry pi externally. Here's my port forwarding setup: enter image description here

I can ssh internally using ssh 192.168.0.84, but externally on canyouseeme.com I get "Error: could not see your service on on port (22). My sshd_config has the line Port 22 and the ListenAddress lines are commented out. In other words, I have not touched this file. What is going on here?

ocket8888

Posted 2016-06-13T05:37:57.180

Reputation: 133

Note: this is absolutely a duplicate of http://superuser.com/questions/1019256/can-ssh-internally-but-cant-externally-port-22-connection-refused but that question is 5 months old with no answer, so I'm asking again.

– ocket8888 – 2016-06-13T05:39:38.537

Answers

2

Several things come to my mind.

The forwarding in your screenshot looks OK. You could try to set it to TCP instead of TCP/UDP, because ssh is a TCP protocol.

dyndns

Are you sure that you use the correct dynamically updated hostname or your correct public IP address? To find your public IP address, open a console on the Raspberry or SSH (internally) into it and use curl icanhazip.com.

sshd_config

Make sure, in /etc/ssh/sshd_config, that sshd listens to the correct interface, in case you have multiple. Comment out the line ListenAddress a.b.c.d with a # and restart the service (/etc/init.d/sshd restart or systemctl restart sshd, depending on your distro). Edit: sorry, you already said that.

Edit:

routing

If you cannot get an output from curl icanhazip.com, chances are that your Raspberry does not know how to get to the internet. So it cannot reply to your connection attempt from the outside. Add a route, e. g. with ip route add default via <your modem's IP address> and try again.

iptables

Make sure that your Raspberry-internal firewall allows SSH from external addresses. iptables -S will give you a list of rules. Look for lines like

-A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
# SSH only allowed from the internal network, if iptables policy INPUT is DROP

In that case, allow all incoming traffic with either iptables -P INPUT ACCEPT or iptables -I INPUT -p tcp --dport 22 -j ACCEPT.

DS-Lite (Dual Stack Lite)

Internally, in your home network, you use IPv4 addresses. In your example 192.168.0.x. However, your ISP might use IPv6 in his network. The router translates your IPv4 addresses to IPv6. This usually results in the inability to connect to your home network from remote.

If curl icanhazip.com gave you an IPv6 address, e. g. 2001:a61::35:2, it might be an indicator. Also, maybe your C6300 will show information about that. (I use an AVM Fritz!Box 7360, and it explicitly outputs "Fritz!Box uses a DS-Lite tunnel").

To be 100% sure, call your ISP.

Edit:

In case you are behind a DS-Lite tunnel, the following options come to mind to nevertheless connect back home from remote:

  • ask your provider/ISP to switch your line to a non-DS-Lite one
  • use autossh to have your home computer connect to another host, e. g. at work (ask your employer before), your web server, your VPS. Configure autossh in a way that it creates a reverse tunnel, e. g. ssh -R 10000:localhost:22 user@yourvps.com. Then you can ssh to yourvps.com and ssh from there back home via ssh -p 10000 user@localhost.

Edit:

Netgear C6300 specific

There seems to be a bug in firmwares until or up to Firmware Version 2.01.14 which will make opened ports visible only if the option "Respond to Ping on Internet WAN Port" in the "Advanced Configuration" > "WAN Setup" is activated.

Netgear C6300 WAN Setup

stueja

Posted 2016-06-13T05:37:57.180

Reputation: 556

My iptables -S output is just -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT, so I ran iptables -I INPUT -p tcp --dport 22 -j ACCEPT as you suggested and while the curl command did output an IPv6 address, using that made no difference. I set the protocol in my port-forwarding to TCP, but http://www.ping.eu/port-chk/ still tells me the port is closed.

– ocket8888 – 2016-06-13T14:06:04.153

OK. Well, if all policies (-P) already were set to ACCEPT, there was no difference. If curl outputs an IPv6 address, then chances are, that you are running a DS-Lite stack. Or better, your ISP does. Please have a look at their webpage, customer forums, or call them, to be 100% sure. In that case, it might be hard to get a connection from remote to home. You could rent a VPS with a public IP and run autossh on your Raspberry, so that you can jump from the VPS to your Raspberry at home. – stueja – 2016-06-13T15:39:25.390

frowns there has to be a way I can use an open service to connect to a machine I own using an internet connection I already pay for without renting anything. My former housemate had a fileserver based out of my house, we changed routers but not ISPs since then, so it has to be possible, because we've done it before. – ocket8888 – 2016-06-13T21:52:29.977

This is new information! How long ago did your housemate run the fileserver? What kind of fileserver was that? Which ports did the fileserver use? Can you try to have SSH listen on a different port, e. g. 80 or 443, forward the port correspondingly in your router and try again? – stueja – 2016-06-14T05:02:49.680

Did you activate "respond to ping on internet WAN port" in "Setup" > "WAN Setup" in the Advanced Configuration? – stueja – 2016-06-14T05:13:40.563

I keep forgetting to take a screenshot, but changing the WAN Setup to respond to pings and allow port scans was what worked – ocket8888 – 2016-06-15T18:21:37.833

Glad that my questions and answers worked for you. Please feel free accept this answer or to ask more new questions here on superuser. :) – stueja – 2016-06-15T18:46:13.633

ip route add default via <your modem's IP address> - this solved the problem for me. Thanks ! – Copacel – 2018-03-04T20:12:14.153

Asked: 2016-06-13T05:37:57.180

Viewed: 1 596 times

Active: 2016-06-14T05:19:18.900