<div dir="ltr"><div>> Going
      the other way, you have no rules to pass <br>> the communication
      through.<span class=""></span><br><br>Why were rules written for the second router but not the first? Is it because it was connected first? Could we write the rules we need?<br></div><span class=""><font color="#888888"><br>

</font></span></div><div class="gmail_extra"><br clear="all"><div>:-)~MIKE~(-:</div>
<br><br><div class="gmail_quote">On Fri, Jul 18, 2014 at 3:34 PM, Gilbert T. Gutierrez, Jr. <span dir="ltr"><<a href="mailto:mailing-lists@phoenixinternet.net" target="_blank">mailing-lists@phoenixinternet.net</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>NAT is the reason. The ping is being
      translated from one network to another as well as telnet. Going
      the other way, you have no rules to pass the communication
      through.<span class="HOEnZb"><font color="#888888"><br>
      <br>
      Gilbert</font></span><div><div class="h5"><br>
      <br>
      On 7/18/2014 2:44 PM, Michael Havens wrote:<br>
    </div></div></div><div><div class="h5">
    <blockquote type="cite">
      <div dir="ltr">so according to your tutorial 192.168.0.x is not on
        the same subnet as 192.168.1.x. If that is correct why can I ssh
        (and ping and telnet....) from client to host but not host to
        client?<br>
      </div>
      <div class="gmail_extra">
        <br clear="all">
        <div>:-)~MIKE~(-:</div>
        <br>
        <br>
        <div class="gmail_quote">On Fri, Jul 18, 2014 at 12:30 PM,
          Michael Havens <span dir="ltr"><<a href="mailto:bmike1@gmail.com" target="_blank">bmike1@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">
              <div>
                <div>telnet localhost 22 from the server received no
                  answer from the client<br>
                  telnet 192.168.1.101 22 from the client received no
                  answer from the server<br>
                  <br>
                </div>
                I'll get back to you about the research project<br>
              </div>
               (and as a private message)<br>
            </div>
            <div class="gmail_extra"><br clear="all">
              <div>:-)~MIKE~(-:</div>
              <div>
                <div>
                  <br>
                  <br>
                  <div class="gmail_quote">On Fri, Jul 18, 2014 at 6:41
                    AM, <span dir="ltr"><<a href="mailto:kitepilot@kitepilot.com" target="_blank">kitepilot@kitepilot.com</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      Hello Michael:<br>
                      the 'Net' is a hodgepodge of protocols, all
                      abiding to the 'OSI Layer Model' to work properly
                      (<a href="http://en.wikipedia.org/wiki/OSI_model" target="_blank">http://en.wikipedia.org/wiki/OSI_model</a>).
                      <br>
                      Troubleshooting your SSH connection should be a
                      fairly simple proposition, because there are only
                      so many moving parts (Three!).<br>
                      As anything under the OSI model, nothing on an
                      upper layer will work unless the necessary
                      components of the lower layer are working.<br>
                      AND you *HAVE* to troubleshoot each layer
                      separately.<br>
                      So how does this go? <br>
                      Well, lets take a look at your SSH problem...<br>
                      1.- In order for the SSH connection to work you
                      need 3 things:<br>
                      1.1.- a SSH server,<br>
                      1.2.- a SSH client and,<br>
                      1.3.- a TCP/IP connection. <br>
                      *EACH* one of the lines above is a separate
                      project and *HAS* to be addressed as such. <br>
                      Lets cover the basics first, the TCP/IP
                      connection:<br>
                      You *HAVE* to *KNOW* The Mantra:<br>
                      "In order for any 2 devices to establish a TCP
                      connection they have to share a physical link and
                      they need addresses in the same subnet".<br>
                      The statement above is a pretty dense one, and has
                      several implications, number one being: What does
                      "subnet" mean?<br>
                      Another is: what about IPs in different subnets?<br>
                      We'll get there... <br>
                      As there are already several books written (and to
                      be written) about the few lines above, I'll water
                      it down to the bare minimum:<br>
                      The subnet is defined via the netmask, and implies
                      that "ON" parts of the netmask are always equal in
                      all the addresses on a network segment, so: <br>
                      Network:<br>
                      <a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a>
                      or<br>
                      192.168.0.0 with netmask 255.255.255.0 means that<br>
                      *ALL* the addresses in *THIS* network are going to
                      look like 192.168.0.${SOMETHING_ELSE}<br>
                      '192.168.0' is the "Network", and
                      "${SOMETHING_ELSE}" is the "Host".<br>
                      You can not use "Host 0" (because that defines the
                      network) and you can not use the highest number
                      (255) because that's the 'broadcast address'.<br>
                      Which means that any '/24" (slash 24) network can
                      address 254 'hosts'. <br>
                      Network:<br>
                      <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a>
                      or<br>
                      192.168.0.0 with netmask 255.255.0.0 means that<br>
                      *ALL* the addresses in *THIS* network are going to
                      look like 192.168.${SOMETHING_ELSE}.${SOMETHING_ELSE}<br>
                      '192.168' is the "Network", and
                      "${SOMETHING_ELSE}.${SOMETHING_ELSE}" is the
                      "Host".<br>
                      You can not use "Host 0.0" (because that defines
                      the network) and you can not use the highest
                      number (255.255) because that's the 'broadcast
                      address'.<br>
                      Which means that any '/16" (slash 16) network can
                      address 65534 'hosts'. <br>
                      The reason why '255' is the highest number is
                      because IPv4 addresses (and netmasks) are
                      represented in memory in 4 bytes, each number one
                      byte.<br>
                      Bytes are 8 bits, but that's a different book that
                      you need to read too, lets move on with the
                      network. <br>
                      Things get pretty interesting (and math pretty
                      convoluted) when you define networks like <a href="http://192.168.127.0/25" target="_blank">192.168.127.0/25</a><br>
                      If yo want to see all variations, you can be lazy
                      (like me) and run:<br>
                      ipcalc <a href="http://192.168.0.127/25" target="_blank">192.168.0.127/25</a>
                      <br>
                      Finally, "Netmasks" are a patch to the first
                      defined (and shortsighted) 'Address Type' as class
                      A,B,C or D, but I'll let you research that
                      yourself. <br>
                      <br>
                      Well, that's all good, but how do you talk to
                      other addresses?, I talk to google.com...<br>
                      That's a valid question, but<br>
                      1.- it is not part of *THIS* SSH problem and<br>
                      2.- you don't 'talk to google'.<br>
                      We'll talk more about how devices find each other
                      in a network down below, but in order to talk to
                      devices outside your network you need the 'Routing
                      Protocol' (implemented at [SURPRISE!] 'the
                      router') which is nothing else than a table of
                      rules stating 'this IP goes that way'.  In your
                      case, all addresses go the same place (the router)
                      so the router becomes the 'Default Gateway'.  As
                      to resolve google, you need the DNS, but you knew
                      that...   :) <br>
                      <br>
                      Now that we know what an IP address is, lets move
                      on to the "Physical Link".<br>
                      Well, a cable will do...<br>
                      In the wireless world, the "Association" is the
                      link.<br>
                      And how do you validate that?<br>
                      iwconfig will tell you what (if anything) you are
                      associated to.  No association, no link, no
                      connection, no SSH.<br>
                      ifconfig will tell you what (if anything) you are
                      wired to.  No wire, no link, no connection, no
                      SSH.<br>
                      Ain't that simple?   ;-) <br>
                      So we have a link...<br>
                      And we have IP addresses in the same subnet.<br>
                      So we are connected!!!   8-) <br>
                      Not so fast Armando!!!<br>
                      The fact that your addresses match is not
                      necessarily a validation, because each computer
                      may be connected to a different router providing
                      the same NAT(ed) address!<br>
                      NAT?<br>
                      Yes NAT (Network Address Translation protocol),
                      but that's yet another book, so lets water it
                      down:<br>
                      NAT is the protocol that allows you to have an
                      'outside visible address' and an 'inside invisible
                      network' in a router.<br>
                      NAT (as Netmask) was implemented mainly to
                      alleviate the IPv4 shortage address because of the
                      'class A,B,C or D' mistake, but as a byproduct,
                      you can 'hide' behind it, which provides some
                      level of security.  How you hide is yet another
                      bookshelf and essentially means that you cannot
                      access devices 'behind the router' unless the
                      device initiates the connection first, and that's
                      how you raise a WEB site from 'behind the router'
                      and why you can SSH from 'inside to outside the
                      router' but not the other way around, so lets move
                      on... <br>
                      So, how do we know that we are connected to the
                      same router?<br>
                      Ah, glad you asked:<br>
                      ARP!<br>
                      Or Address Resolution Protocol.<br>
                      *ALL* data transmission is done at OSI layer 2.<br>
                      Quick implementation manual:<br>
                      OSI layer 1: Cable or association.<br>
                      OSI layer 2: MAC address.<br>
                      OSI layer 3: IP address. <br>
                      Your network doesn't know (and doesn't care) about
                      IP addresses.  The IP address is there to resolve
                      the MAC address.<br>
                      When you say:<br>
                      ping 192.168.0.1<br>
                      that generates a 'who has' request from the ARP
                      protocol.<br>
                      That request is broadcasted to anyone on the
                      physical link (OSI layer 1)<br>
                      The device with the IP address interrogated by
                      'who has' answers with its MAC address.<br>
                      This IP/MAC address pair is then saved to the ARP
                      table.<br>
                      >From there on (and even though the IP address
                      goes along in the TCP/IP header) all transmissions
                      are sent to the MAC address.<br>
                      But then again, how do you know that your 2 boxes
                      are talking to the same router?<br>
                      arp -n|grep 192.168.1.1<br>
                      Same MAC?<br>
                      Same box.<br>
                      Different MAC?<br>
                      Same Michael...   ;-) <br>
                      What do we know so far?<br>
                      Well, we know something about line 3 of the very
                      first paragraph. <br>
                      What about line 2?<br>
                      Type<br>
                      which ssh<br>
                      You have it or not, and you know what to do, so
                      lets move to line 1. <br>
                      We now need to troubleshoot the SSH server.<br>
                      Well, that boils down to 2 things, it is working
                      or not...<br>
                      You *KNOW* that the SSH server is 'listening'
                      (although not necessarily working) when you can
                      connect to the 'port'<br>
                      Port?<br>
                      Yeah, port...<br>
                      Lets move on up in the OSI model to the
                      application layer.<br>
                      In order to establish a TCP connection you need an
                      IP connection and a port (or a socket and a port)<br>
                      The port is to the application what the IP address
                      is to the MAC.<br>
                      So if the port is listening, the application is
                      awake.<br>
                      And how do we know?<br>
                      There are only 975143684 possible ways to validate
                      a 'port is open' (or listening) but I am a simple
                      boring guy, so I do:<br>
                      telnet localhost 22<br>
                      I either get an answer or not.<br>
                      If I get an answer, then we are most likely all
                      good, but if I don't get an answer then the
                      ramifications are staggering and I'm not even
                      going to think about it. <br>
                      In order to check that the other port listens then
                      you:<br>
                      telnet ${REMOTE} 22<br>
                      Again, we either get an answer or not.  And the
                      'not' means another Sunday drive to the library...
                      <br>
                      Finally, why 22?<br>
                      Because that's the SSH port and it is defined in
                      the configuration file, which you can change to
                      further complicate your (or someone else's) life.<br>
                      But who and where defined 22 as the SSH port?<br>
                      grep -i ssh /etc/services<br>
                      And who wrote /etc/services?<br>
                      <a href="http://www.iana.org/" target="_blank">http://www.iana.org/</a>
                      <br>
                      And how do I know all this crap?<br>
                      Because I finished LFS!!!!    ;-) <br>
                      I hope you see everything now as clear as mud.<br>
                      Keep this message handy, you'll need to read it
                      several times... <br>
                      Keep in mind that what I have written here is a
                      GROSS oversimplification of several bookshelves
                      contained in several buildings and written along
                      several decades all over the World, it's free
                      advice, you can't sue me...   :) <br>
                      And always remember:<br>
                      For every question there exists a simple, direct
                      and wrong answer.<br>
                      if you have any question,<br>
                      you will get any answer...<br>
                      ET <br>
                      PS: Research project:<br>
                      Why doesn't 'ping' use a port?<br>
                      Why is 'ping' 'setuid(ed)'<br>
                      What are 'routable' networks?<br>
                      What are 'non-routable' networks?<br>
                      What does it mean if you get and IP address like <a href="http://169.254.0.0/16" target="_blank">169.254.0.0/16</a><br>
                      Why do you always have a 127.0.0.1 address in your
                      boxes?<br>
                      Who defines (and where are the documents that
                      define) all these protocols? (RFC anyone?) <br>
                      <div>
                        <div>
                          <br>
                          <br>
                          Michael Havens writes: <br>
                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                            okay, so I bought a used computer to do
                            Linux from scratch on. Well, I'm<br>
                            going to ssh from my primary computer to the
                            new computer but got a<br>
                            'Connection timed out' error. After googling
                            for a bit I discovered ufw was<br>
                            to blame. <br>
                            after I disabled the firewall I could ssh
                            from 192.168.1.101 <parasite> to<br>
                            192.168.0.4 <host> <br>
                            the error I got going the other way was the
                            connection timed out error: <br>
                            ssh <a href="mailto:mike@192.168.1.101" target="_blank">mike@192.168.1.101</a><br>
                            ssh: connect to host 192.168.1.101 port 22:
                            Connection timed out <br>
                            After googling some more I thought perhaps
                            openssh-server wasn't<br>
                            installed... but it is. So please.... what
                            is the problem? I verifed<br>
                            openssh-client is installed but I don't know
                            what it could be. Could you<br>
                            help me out?<br>
                            :-)~MIKE~(-:<br>
                          </blockquote>
                        </div>
                      </div>
                      <div>
                        <div>
                          ---------------------------------------------------<br>
                          PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.org</a><br>
                          To subscribe, unsubscribe, or to change your
                          mail settings:<br>
                          <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
                        </div>
                      </div>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>---------------------------------------------------
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></pre>
    </blockquote>
    <br>
  </div></div></div>

<br>---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br></blockquote></div><br></div>