On Montag 2023-07-17 13:10, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 13:10:45 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 2:07 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
On Montag 2023-07-17 12:44, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 12:44:53 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 1:15 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
On Montag 2023-07-17 11:42, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 11:42:11 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 12:18 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
nothing to see for me. (where does the "noprefixroute" come from?)
It comes from NetworkManager
Well, I would simply capture packets on this host when ssh connection is attempted. Then you at least know whether any request comes through or not.
seems so, tcpdump shows repeatingly those lines on trying to connect: 12:06:51.525602 IP stb1.swabian.net.43562 > omega.swabian.net.ssh: Flags [S], seq 3512370883, win 29200, options [mss 1460,sackOK,TS val 8907069 ecr 0,nop,wscale 6], length 0
This is an incoming TCP connection request. Do you also see any reply on this interface?
no, nothing. also nothing showing up (dropped packets or so) in dmesg.
What about
iptables -L -n -v iptables -L -n -v -t nat nft list ruleset
I think that's the right direction. iptables -L -n -v shows a lot of rules (the others do not) Chain INPUT (policy DROP 964 packets, 112K bytes) pkts bytes target prot opt in out source destination 141 10002 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 162K 558M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 75122 packets, 8619K bytes) pkts bytes target prot opt in out source destination 141 10002 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 Chain forward_ext (0 references) pkts bytes target prot opt in out source destination Chain forward_int (0 references) pkts bytes target prot opt in out source destination Chain input_ext (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:22 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP " 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 /* sfw2.rpc.portmapper */ limit: avg 3/min burst 5 ctstate NEW udp dpt:111 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* sfw2.rpc.portmapper */ udp dpt:111 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* sfw2.rpc.portmapper */ limit: avg 3/min burst 5 ctstate NEW tcp dpt:111 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* sfw2.rpc.portmapper */ tcp dpt:111 Chain input_int (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject_func (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable and I noticed, that SuSEfirewall2.service was not disabled, but failed at boot. As it was never running, I always assumed it was disabled. now explicitely disabled SuSEfirewall2.service and SuSEfirewall2_init.service # systemctl status SuSEfirewall2.service × SuSEfirewall2.service - SuSEfirewall2 phase 2 Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2023-07-17 12:21:56 CEST; 1h 5min ago Main PID: 3656 (code=exited, status=1/FAILURE) Jul 17 12:21:54 omega.swabian.net SuSEfirewall2[3656]: using default zone 'ext' for interface eth1 Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[4024]: Could not open socket to kernel: Address family not supported by protocol Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[4027]: Could not open socket to kernel: Address family not supported by protocol Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[4034]: Could not open socket to kernel: Address family not supported by protocol Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[4037]: Could not open socket to kernel: Address family not supported by protocol Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[3656]: failed to setup rpc service rules for portmapper Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[4040]: <35>Jul 17 12:21:56 SuSEfirewall2[3656]: failed to setup rpc service rules for portmapper Jul 17 12:21:56 omega.swabian.net systemd[1]: SuSEfirewall2.service: Main process exited, code=exited, status=1/FAILURE Jul 17 12:21:56 omega.swabian.net systemd[1]: SuSEfirewall2.service: Failed with result 'exit-code'. Jul 17 12:21:56 omega.swabian.net systemd[1]: Failed to start SuSEfirewall2 phase 2. will try again, after software update and a reboot.