ssh_exchange_identification: read: Connection reset by peer

Hello,
I have a slackware 9 box with 2 ethernet interfaces. eth0 is on the internet, eth1 is on the inside network. I am able to ssh to eth0 without any troubles.
When I try to ssh to eth1 from another linux client I get the following error:
ssh_exchange_identification: read: Connection reset by peer
When I try to ssh to eth1 from an old linux box I get the following error:
FATAL: Connecting to 192.168.3.60 failed: TCP/IP Failure
When I try to ssh to eth1 from putty I get the following error:
Network Error: Softaware caused connection abort

ssh -V on target machine:
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
My iptables are definatly allowing connections to port 22 on both interfaces.
There are no entries in the log file related to ssh on the target machine
I can connect to ssh on eth0

Any ideas what is wrong?

Thanks.
tagishAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jlevieCommented:
What does your firewall log entries show when you attempt a connection? The problem description tends to point to the firewall being the cause.
0
wesly_chenCommented:
Hi,

   Where are your linux client boxes? Are they in the inside network (192.168.3.X), which is eth1 at?
If not, then you need to enable routed/ipforwording on this slakware 9 box.

   If they are in the sam subnet, then please give us the outputs of "iptables -L"  and "netstat -n" so people can help to debug this issue.

Regards,

Wesly
0
tagishAuthor Commented:
Hello,

Ok, the linux clients are inside the network. 192.168.3.x I do have port forwarding etc working on the firewall,   I am fairly sure that is not the trouble. (even when I set all policys to accept the errors are the same.) There are no entries regarding the firewall.
From what machine would you like the netstat from?
iptables -L on the firewall:
root@gimli:/etc/rc.d# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere           tcp option=!2 reject-with tcp-reset
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere           udp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere           udp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere           udp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:10000
ACCEPT     udp  --  anywhere             anywhere           udp dpt:10000
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:10000
ACCEPT     udp  --  anywhere             anywhere           udp dpt:10000
ACCEPT     udp  --  anywhere             anywhere           udp dpt:domain
ACCEPT     tcp  --  192.168.3.0/24       anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  192.168.3.0/24       anywhere
ACCEPT     all  --  anywhere             192.168.3.0/24     state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.3.19       tcp dpt:http
ACCEPT     tcp  --  anywhere             192.168.3.19       tcp dpt:smtp
ACCEPT     udp  --  anywhere             192.168.3.19       udp dpt:smtp
ACCEPT     tcp  --  anywhere             192.168.3.19       tcp dpt:pop3
ACCEPT     udp  --  anywhere             192.168.3.19       udp dpt:pop3
ACCEPT     udp  --  anywhere             192.168.3.0/24     udp dpt:domain
ACCEPT     udp  --  anywhere             192.168.3.0/24     udp spt:domain

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             192.168.3.0/24
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:ssh
ACCEPT     udp  --  anywhere             anywhere           udp spt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:ssh
ACCEPT     udp  --  anywhere             anywhere           udp spt:ssh
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:10000
ACCEPT     udp  --  anywhere             anywhere           udp spt:10000
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:10000
ACCEPT     udp  --  anywhere             anywhere           udp spt:10000

0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

wesly_chenCommented:
Hi,

   How about temporarily disable the iptables ( service iptables stop) to see the ssh connection?
Then you can see whether the firewall cause the problem or not.

   The other thing you might want to check is that "netstat -a |grep ssh" to see if your Linux server listen the ssh port.
The output should look like
tcp        0      0 *:ssh                   *:*                     LISTEN      

Wesly
0
tagishAuthor Commented:
Sorry for the delays in responding.

I changed all default policys to accept, and still got the same error.
The results of my netstat -a |grep ssh are:
root@gimli:~# netstat -a |grep ssh
tcp        0      0 *:ssh                   *:*                     LISTEN

ssh to the outside (eth0 card) works well.

Thanks.
0
wesly_chenCommented:
Hi,

   Can you provide the output of "ifconfig -a" on your slackware box?

Wesly
0
tagishAuthor Commented:
You bet, here it is:

root@gimli:~# ifconfig -a
dummy0    Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

eth0      Link encap:Ethernet  HWaddr 00:50:FC:C8:64:CE
          inet addr:216.xxx.xxx.xxx  Bcast:216.xxx.xxx.xxx  Mask:255.255.248.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:375215 errors:0 dropped:0 overruns:0 frame:0
          TX packets:302225 errors:0 dropped:0 overruns:0 carrier:0
          collisions:302 txqueuelen:1000
          RX bytes:292587648 (279.0 Mb)  TX bytes:54807832 (52.2 Mb)
          Interrupt:11 Base address:0x6c00

eth1      Link encap:Ethernet  HWaddr 00:10:A7:25:F6:E0
          inet addr:192.168.3.60  Bcast:192.168.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:285550 errors:0 dropped:0 overruns:0 frame:0
          TX packets:339413 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:52389189 (49.9 Mb)  TX bytes:288712753 (275.3 Mb)
          Interrupt:9 Base address:0x6800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

I am not sure what the dummy0 interface is though...
0
tagishAuthor Commented:
Here is some additional info that I find interesting:

When linux box1 (ssh client) was set to use 192.168.3.1 as the default gateway (the old gateway) I could ssh to Linux box2 (sshd server, also firewall) on the outside interface eth0, but not the inside interface eth1.
Now I have changed my default gateway to be linux box2, 192.169.3.60. Now I get the same error when I try to conenct to either interface from linux box1. From linux box1 I can ssh to other machines, inside and outside of my LAN. From linux box2 I can ssh to machines on the internet.

From the old gateway (also a slackware box, but a very old version) using the internet interfae, I can ssh to the outside interface of linux box2.

Flushing and removing all iptables rules on linux box2 makes no difference.
0
wesly_chenCommented:
Hi,

    When you set default gateway to 192.169.3.60 (eth0 on trouble slackware sever), can you ping internet?

Wesly
0
tagishAuthor Commented:
Hi Wesly_chen,

The trouble server is my gateway, Linux Box2. eth0 is on the internet, and eth1 is the internal. However, from my other linux machine, Linux Box1, I can ping the internet. I can ssh, ftp and telnet to other sites. With Linux Box1 having the default gateway 192.168.3.60 I can not  ssh (to either interface) to the gateway machine (linux box2), which is 192.168.3.60 on eth1, and 216.xxx.xxx.xxx on eth0. With Linux Box1 having 192.168.3.1 (linux box3->old gateway) as the default gateway I can ssh to the outside interface of the gateway machine linux box2.
0
wesly_chenCommented:
Hi,

   It seems that the internal port of slackware linux box2 (eth1) has the problem to accept/forward the ssh request.
So when your gateway set to the IP address of eth1, ssh doesn't work on both interfaces(eth0,eth1).

   One more check, do you know any ssh server on the internet or can you put one ssh server (box4) on internet side?
So you can test to ssh into the ssh server (box4) from box1 with default gateway set to 192.168.3.60.
If it fails, then (eth1) on box2 has the problem to accept/forward the ssh request.

   In additional to iptables, do you have another firewall/packet filter such as ipchains running on box 2?
Can you kill those firewall processes (iptables,ipchains...)? (Not just remove all the rules)

Wesly
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tagishAuthor Commented:
ok, I have tested ssh to another machine out on the internet and it worked well with my dg as 192.168.3.60....you got me thinking :)

My firewall is running only iptables, but I have another one running ipchains (linux box3) that allowed me to connect the outside interface of problem box...I can't really stop iptables, but I created a new set of rules that allowed anything to go anywhere it wanted, no questions, and viola, ssh works to both interfaces.

thanks for your help, I was sure that it was not my firewall, and as a result did not thoroughly troubleshoot :( I will now go and start playing with my firewall rules.

Thanks again.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.