<div dir="ltr"><div>> Going
the other way, you have no rules to pass <br>> the communication
through.<span class=""></span><br><br>Why were rules written for the second router but not the first? Is it because it was connected first? Could we write the rules we need?<br></div><span class=""><font color="#888888"><br>
</font></span></div><div class="gmail_extra"><br clear="all"><div>:-)~MIKE~(-:</div>
<br><br><div class="gmail_quote">On Fri, Jul 18, 2014 at 3:34 PM, Gilbert T. Gutierrez, Jr. <span dir="ltr"><<a href="mailto:mailing-lists@phoenixinternet.net" target="_blank">mailing-lists@phoenixinternet.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>NAT is the reason. The ping is being
translated from one network to another as well as telnet. Going
the other way, you have no rules to pass the communication
through.<span class="HOEnZb"><font color="#888888"><br>
<br>
Gilbert</font></span><div><div class="h5"><br>
<br>
On 7/18/2014 2:44 PM, Michael Havens wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">so according to your tutorial 192.168.0.x is not on
the same subnet as 192.168.1.x. If that is correct why can I ssh
(and ping and telnet....) from client to host but not host to
client?<br>
</div>
<div class="gmail_extra">
<br clear="all">
<div>:-)~MIKE~(-:</div>
<br>
<br>
<div class="gmail_quote">On Fri, Jul 18, 2014 at 12:30 PM,
Michael Havens <span dir="ltr"><<a href="mailto:bmike1@gmail.com" target="_blank">bmike1@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>telnet localhost 22 from the server received no
answer from the client<br>
telnet 192.168.1.101 22 from the client received no
answer from the server<br>
<br>
</div>
I'll get back to you about the research project<br>
</div>
(and as a private message)<br>
</div>
<div class="gmail_extra"><br clear="all">
<div>:-)~MIKE~(-:</div>
<div>
<div>
<br>
<br>
<div class="gmail_quote">On Fri, Jul 18, 2014 at 6:41
AM, <span dir="ltr"><<a href="mailto:kitepilot@kitepilot.com" target="_blank">kitepilot@kitepilot.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello Michael:<br>
the 'Net' is a hodgepodge of protocols, all
abiding to the 'OSI Layer Model' to work properly
(<a href="http://en.wikipedia.org/wiki/OSI_model" target="_blank">http://en.wikipedia.org/wiki/OSI_model</a>).
<br>
Troubleshooting your SSH connection should be a
fairly simple proposition, because there are only
so many moving parts (Three!).<br>
As anything under the OSI model, nothing on an
upper layer will work unless the necessary
components of the lower layer are working.<br>
AND you *HAVE* to troubleshoot each layer
separately.<br>
So how does this go? <br>
Well, lets take a look at your SSH problem...<br>
1.- In order for the SSH connection to work you
need 3 things:<br>
1.1.- a SSH server,<br>
1.2.- a SSH client and,<br>
1.3.- a TCP/IP connection. <br>
*EACH* one of the lines above is a separate
project and *HAS* to be addressed as such. <br>
Lets cover the basics first, the TCP/IP
connection:<br>
You *HAVE* to *KNOW* The Mantra:<br>
"In order for any 2 devices to establish a TCP
connection they have to share a physical link and
they need addresses in the same subnet".<br>
The statement above is a pretty dense one, and has
several implications, number one being: What does
"subnet" mean?<br>
Another is: what about IPs in different subnets?<br>
We'll get there... <br>
As there are already several books written (and to
be written) about the few lines above, I'll water
it down to the bare minimum:<br>
The subnet is defined via the netmask, and implies
that "ON" parts of the netmask are always equal in
all the addresses on a network segment, so: <br>
Network:<br>
<a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a>
or<br>
192.168.0.0 with netmask 255.255.255.0 means that<br>
*ALL* the addresses in *THIS* network are going to
look like 192.168.0.${SOMETHING_ELSE}<br>
'192.168.0' is the "Network", and
"${SOMETHING_ELSE}" is the "Host".<br>
You can not use "Host 0" (because that defines the
network) and you can not use the highest number
(255) because that's the 'broadcast address'.<br>
Which means that any '/24" (slash 24) network can
address 254 'hosts'. <br>
Network:<br>
<a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a>
or<br>
192.168.0.0 with netmask 255.255.0.0 means that<br>
*ALL* the addresses in *THIS* network are going to
look like 192.168.${SOMETHING_ELSE}.${SOMETHING_ELSE}<br>
'192.168' is the "Network", and
"${SOMETHING_ELSE}.${SOMETHING_ELSE}" is the
"Host".<br>
You can not use "Host 0.0" (because that defines
the network) and you can not use the highest
number (255.255) because that's the 'broadcast
address'.<br>
Which means that any '/16" (slash 16) network can
address 65534 'hosts'. <br>
The reason why '255' is the highest number is
because IPv4 addresses (and netmasks) are
represented in memory in 4 bytes, each number one
byte.<br>
Bytes are 8 bits, but that's a different book that
you need to read too, lets move on with the
network. <br>
Things get pretty interesting (and math pretty
convoluted) when you define networks like <a href="http://192.168.127.0/25" target="_blank">192.168.127.0/25</a><br>
If yo want to see all variations, you can be lazy
(like me) and run:<br>
ipcalc <a href="http://192.168.0.127/25" target="_blank">192.168.0.127/25</a>
<br>
Finally, "Netmasks" are a patch to the first
defined (and shortsighted) 'Address Type' as class
A,B,C or D, but I'll let you research that
yourself. <br>
<br>
Well, that's all good, but how do you talk to
other addresses?, I talk to google.com...<br>
That's a valid question, but<br>
1.- it is not part of *THIS* SSH problem and<br>
2.- you don't 'talk to google'.<br>
We'll talk more about how devices find each other
in a network down below, but in order to talk to
devices outside your network you need the 'Routing
Protocol' (implemented at [SURPRISE!] 'the
router') which is nothing else than a table of
rules stating 'this IP goes that way'. In your
case, all addresses go the same place (the router)
so the router becomes the 'Default Gateway'. As
to resolve google, you need the DNS, but you knew
that... :) <br>
<br>
Now that we know what an IP address is, lets move
on to the "Physical Link".<br>
Well, a cable will do...<br>
In the wireless world, the "Association" is the
link.<br>
And how do you validate that?<br>
iwconfig will tell you what (if anything) you are
associated to. No association, no link, no
connection, no SSH.<br>
ifconfig will tell you what (if anything) you are
wired to. No wire, no link, no connection, no
SSH.<br>
Ain't that simple? ;-) <br>
So we have a link...<br>
And we have IP addresses in the same subnet.<br>
So we are connected!!! 8-) <br>
Not so fast Armando!!!<br>
The fact that your addresses match is not
necessarily a validation, because each computer
may be connected to a different router providing
the same NAT(ed) address!<br>
NAT?<br>
Yes NAT (Network Address Translation protocol),
but that's yet another book, so lets water it
down:<br>
NAT is the protocol that allows you to have an
'outside visible address' and an 'inside invisible
network' in a router.<br>
NAT (as Netmask) was implemented mainly to
alleviate the IPv4 shortage address because of the
'class A,B,C or D' mistake, but as a byproduct,
you can 'hide' behind it, which provides some
level of security. How you hide is yet another
bookshelf and essentially means that you cannot
access devices 'behind the router' unless the
device initiates the connection first, and that's
how you raise a WEB site from 'behind the router'
and why you can SSH from 'inside to outside the
router' but not the other way around, so lets move
on... <br>
So, how do we know that we are connected to the
same router?<br>
Ah, glad you asked:<br>
ARP!<br>
Or Address Resolution Protocol.<br>
*ALL* data transmission is done at OSI layer 2.<br>
Quick implementation manual:<br>
OSI layer 1: Cable or association.<br>
OSI layer 2: MAC address.<br>
OSI layer 3: IP address. <br>
Your network doesn't know (and doesn't care) about
IP addresses. The IP address is there to resolve
the MAC address.<br>
When you say:<br>
ping 192.168.0.1<br>
that generates a 'who has' request from the ARP
protocol.<br>
That request is broadcasted to anyone on the
physical link (OSI layer 1)<br>
The device with the IP address interrogated by
'who has' answers with its MAC address.<br>
This IP/MAC address pair is then saved to the ARP
table.<br>
>From there on (and even though the IP address
goes along in the TCP/IP header) all transmissions
are sent to the MAC address.<br>
But then again, how do you know that your 2 boxes
are talking to the same router?<br>
arp -n|grep 192.168.1.1<br>
Same MAC?<br>
Same box.<br>
Different MAC?<br>
Same Michael... ;-) <br>
What do we know so far?<br>
Well, we know something about line 3 of the very
first paragraph. <br>
What about line 2?<br>
Type<br>
which ssh<br>
You have it or not, and you know what to do, so
lets move to line 1. <br>
We now need to troubleshoot the SSH server.<br>
Well, that boils down to 2 things, it is working
or not...<br>
You *KNOW* that the SSH server is 'listening'
(although not necessarily working) when you can
connect to the 'port'<br>
Port?<br>
Yeah, port...<br>
Lets move on up in the OSI model to the
application layer.<br>
In order to establish a TCP connection you need an
IP connection and a port (or a socket and a port)<br>
The port is to the application what the IP address
is to the MAC.<br>
So if the port is listening, the application is
awake.<br>
And how do we know?<br>
There are only 975143684 possible ways to validate
a 'port is open' (or listening) but I am a simple
boring guy, so I do:<br>
telnet localhost 22<br>
I either get an answer or not.<br>
If I get an answer, then we are most likely all
good, but if I don't get an answer then the
ramifications are staggering and I'm not even
going to think about it. <br>
In order to check that the other port listens then
you:<br>
telnet ${REMOTE} 22<br>
Again, we either get an answer or not. And the
'not' means another Sunday drive to the library...
<br>
Finally, why 22?<br>
Because that's the SSH port and it is defined in
the configuration file, which you can change to
further complicate your (or someone else's) life.<br>
But who and where defined 22 as the SSH port?<br>
grep -i ssh /etc/services<br>
And who wrote /etc/services?<br>
<a href="http://www.iana.org/" target="_blank">http://www.iana.org/</a>
<br>
And how do I know all this crap?<br>
Because I finished LFS!!!! ;-) <br>
I hope you see everything now as clear as mud.<br>
Keep this message handy, you'll need to read it
several times... <br>
Keep in mind that what I have written here is a
GROSS oversimplification of several bookshelves
contained in several buildings and written along
several decades all over the World, it's free
advice, you can't sue me... :) <br>
And always remember:<br>
For every question there exists a simple, direct
and wrong answer.<br>
if you have any question,<br>
you will get any answer...<br>
ET <br>
PS: Research project:<br>
Why doesn't 'ping' use a port?<br>
Why is 'ping' 'setuid(ed)'<br>
What are 'routable' networks?<br>
What are 'non-routable' networks?<br>
What does it mean if you get and IP address like <a href="http://169.254.0.0/16" target="_blank">169.254.0.0/16</a><br>
Why do you always have a 127.0.0.1 address in your
boxes?<br>
Who defines (and where are the documents that
define) all these protocols? (RFC anyone?) <br>
<div>
<div>
<br>
<br>
Michael Havens writes: <br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
okay, so I bought a used computer to do
Linux from scratch on. Well, I'm<br>
going to ssh from my primary computer to the
new computer but got a<br>
'Connection timed out' error. After googling
for a bit I discovered ufw was<br>
to blame. <br>
after I disabled the firewall I could ssh
from 192.168.1.101 <parasite> to<br>
192.168.0.4 <host> <br>
the error I got going the other way was the
connection timed out error: <br>
ssh <a href="mailto:mike@192.168.1.101" target="_blank">mike@192.168.1.101</a><br>
ssh: connect to host 192.168.1.101 port 22:
Connection timed out <br>
After googling some more I thought perhaps
openssh-server wasn't<br>
installed... but it is. So please.... what
is the problem? I verifed<br>
openssh-client is installed but I don't know
what it could be. Could you<br>
help me out?<br>
:-)~MIKE~(-:<br>
</blockquote>
</div>
</div>
<div>
<div>
---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your
mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>---------------------------------------------------
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></pre>
</blockquote>
<br>
</div></div></div>
<br>---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br></blockquote></div><br></div>