# [solved] SSH and NAT router problem

## martinj

Hi,

I want to connect to a Genntoo-box behind my NAT-Router from outside via SSH. Connecting to that box from the LAN works fine, but from the Internet througn NAT it doesn't work, I get a "Connection refused".

All other services, like Apache and Telnet, work through NAT. The configuration of the router shouldn't be the problem, because I configured it in the right way.

In the ssh_config on the client I activated Host *

Do I have to set something special in my sshd_config? Is there any restriction for SSH via NAT?

What did I do wrong?

Thanks,

MartinLast edited by martinj on Tue Jan 06, 2004 6:59 pm; edited 1 time in total

----------

## fleed

Does the ssh server, sshd, say anything about connection dropper/rejected in the logs? If it doesn't even acknowledge the attempt to connect then it sounds like you don't have your router configured correctly.

----------

## martinj

I'm sorry, but I didn't find the sshd logfile. It should be /var/log/sshd.log, but it doesn't exist. The   LogLevel is set to INFO.

I have configured my Router for SSH in the same way as I configured it for telnet, except for the ports:

protocol: TCP

external port: 22

internal port: 22

internal address: server_ip

With telnet it works, with SSH not, so the problem must be caused by the sshd.

If it helps, you can find my box at: texeon.dyndns.org

sshd and apache are running.

Martin

----------

## fleed

Hmm... when I try to connect to 22 on your machine it just hangs there for a while. If I connect to a random port the connection is dropped instantly. Do you have a firewall on your machine? Is iptables up? 

Look for logs in /var/log/everything/current or /var/log/messages

----------

## To

on your machine if you run:

```
ssh 127.0.0.1
```

 does it accept the connection?

If it does on the console try:

```
ssh internal-IP
```

And if it works, try to connect to your machine from other machine on the intranet. If this works it's a problem with the router else it sshd related.

Here's my sshd configuration:

```
Port 22

Protocol 2,1

ListenAddress 0.0.0.0

HostKey /etc/ssh/ssh_host_key

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

KeyRegenerationInterval 1h

ServerKeyBits 768

SyslogFacility AUTH

LogLevel INFO

PermitRootLogin yes

StrictModes yes

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

in /etc/ssh/ssh_known_hosts

RhostsRSAAuthentication no

HostbasedAuthentication no

IgnoreRhosts yes

PasswordAuthentication yes

PermitEmptyPasswords no
```

Tó

----------

## martinj

@fleed:

I don't have a firewall, iptables isn't installed. Or is a iptables installed automatically with gentoo?

In /var/log/messages I don't find any entrys related to ssh and /var/log/everything/current doesn't exist. My logger is the old sysklogd, is that the cause.

@To:

The configuration of my sshd is exactly the same as yours.

SSH connections from my LAN and from localhost or 127.0.0.1 work without any problems! I can connect to the box from any other box of my LAN.

The protocol for SSH is TCP, or not? So what could be wrong with the configuration of the router?

Here the exact configuration of the Port forwarding of my Router (it's a Bintec X1200):

```
[IP][NAT][EDIT][OUTSIDE][EDIT]: NAT - sessions from OUTSIDE

------------------------------------------------------------

Service              user defined

Protocol             tcp

Remote Address       0.0.0.0 (=everything)

Remote Mask          0.0.0.0 (=everything)

External Address     0.0.0.0 (=everything)

External Mask        0.0.0.0 (=everything)

External Port        specify     Port 22

Internal Address     192.168.0.200

Internal Mask        255.255.255.0

Internal Port        specify     Port 22

```

I don't see the mistake...   :Crying or Very sad: 

----------

## fleed

Yes, port 22/tcp. I don't see anything wrong with the router setup but I'm not familiar with it anyway. How does the setup for port 80 look? I also tried connecting to your telnet port (you mentioned below) and that didn't work.

----------

## martinj

The setup for port 80 is the same except for the port.

Telnet doesn't work because I didn't start my telnetd. But I have started it now.

By the way: in the package telnet-bsd there is no telnetd, so i emerged netkit-telnetd. An this telnetd only works if i start it with "telnetd -debug". And it only accepts one login and exits after that. But nevertheless it works through NAT. *confused*

----------

## fleed

I can connect from here to your telnetd now (oh, and take it down again).

Try making sshd be more verbose in logging.

----------

## martinj

I have set LogLevel to DEBUG and restarted sshd, but I still can't find any logs related to SSH in /var/log/messages. sshd.log doesn't exist yet.

----------

## fleed

Do you get anything in your logs when you login from your LAN? You should definitely get something. If you're not getting anything at all look at the config of your syslogger.

----------

## martinj

Ok, I've found the logs for ssh. They are in /var/log/auth.log

When I log in from my LAN I get several log entries. But I don't know which of the existing logs are caused by external logins, so could you please connect once again to my sshd from outside, so that i can look what logs are made?

Thx a lot,

Martin

----------

## fleed

I think you've fixed it. I get prompted to accept your host key, etc. Maybe you could try again to see if it's fixed for you?

----------

## Decibels

I got to your system also, so think you have it working also.

----------

## Valken

If you're behind the NAT trying to connect to texeon.dyndns.org  won't work. You need to specify the internal IP.

----------

## martinj

I don't know why, but it's working now!  :Laughing: 

I didn't change anyting in the configs except for the LogLevel! Very strange!

So thx a lot to all who helped me!

Martin

----------

