0
Assume two machines that connect to a wireless router (Archer C7 v2) and are part of the same LAN. Pinging machine A from machine B works, but ssh, telnet, netcat fail. Why?
Details
Machine A (server running Ubuntu 14.04.5, local address 192.168.0.16)
An openssh server instance is up, listening at port 2200 and running w/o issues.
$netstat -ntlp | grep LISTEN
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8979 0.0.0.0:* LISTEN -
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:2200 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:29754 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:10555 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:1023 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 ::1:53 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
tcp6 0 0 :::2200 :::* LISTEN -
The firewall is disabled:
$sudo ufw status' gives
Status: inactiveThis is the output of iptables -S as requested:
$iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ipsec+ -p 254 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5308 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5656 -j ACCEPT
-A INPUT -p udp -m udp --dport 5004:5005 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5004:5005 -j ACCEPT
-A INPUT -p udp -m udp --dport 20830 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20830 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5060:5062 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5062 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2001 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 9 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1533 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 52311 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000:30005 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 67:68 -j DROP
-A INPUT -p udp -m udp --dport 67:68 -j DROP
-A INPUT -p tcp -m tcp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p tcp -m tcp --dport 138 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p udp -m udp --dport 139 -j DROP
-A INPUT -p tcp -m tcp --dport 1:20 -j DROP
-A INPUT -p tcp -m tcp --dport 111 -j DROP
-A INPUT -p tcp -m tcp --dport 161:162 -j DROP
-A INPUT -p tcp -m tcp --dport 520 -j DROP
-A INPUT -p tcp -m tcp --dport 6348:6349 -j DROP
-A INPUT -p tcp -m tcp --dport 6345:6347 -j DROP
-A INPUT -p tcp -m limit --limit 3/min -j LOG --log-prefix "FIREWALL: " --log-level 7
-A INPUT -p udp -m limit --limit 3/min -j LOG --log-prefix "FIREWALL: " --log-level 7
-A INPUT -j DROP
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION -j RETURNMachine B (client running macOS 10.12.6, local address 192.168.0.14)
Attempting to connect via ssh results in an "Operation timed out message":
$ssh user@192.168.0.16 -p 2200 -i ~/.ssh/id_rsa -vvv
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /Users/jdoe/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "192.168.0.16" port 2200
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.0.16 [192.168.0.16] port 2200.
debug1: connect to address 192.168.0.16 port 2200: Operation timed out
ssh: connect to host 192.168.0.16 port 2200: Operation timed outnetcat also times out:
$nc -w 1 -v 192.168.0.16 -z 2200
nc: connectx to 192.168.0.16 port 2200 (tcp) failed: Operation timed outBut hey, ping (which is a different protocol) works:
$ping 192.168.0.16
PING 192.168.0.16 (192.168.0.16): 56 data bytes
64 bytes from 192.168.0.16: icmp_seq=0 ttl=64 time=97.027 ms
64 bytes from 192.168.0.16: icmp_seq=1 ttl=64 time=4.329 ms
64 bytes from 192.168.0.16: icmp_seq=2 ttl=64 time=2.402 ms
^C
--- 192.168.0.16 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.402/34.586/97.027/44.159 msWhat am I missing? What's in my way?
Kostas
Posted 2018-02-15T18:47:40.247
Reputation: 103
Please post the output of
iptables -S. – gmelis – 2018-02-15T20:10:32.993Updated the post with that info. Let me know if you need anything else. – Kostas – 2018-02-15T21:22:31.953