Can't ssh into linux box via PUBLIC_URL

Support Network
, ,
61

I just read about it - I didn’t have the connections (currently don’t know actual Americans) to verify that.

International calls are as expensive as they always where.

I live in Germany, my sister in the UK - but there is SIP and they have a local number on their phone :slightly_smiling_face:
And then there is WhatsApp, for instance - calls via the internet from/to everywhere where there is mobile data or … WLAN.

62

you got it nailed to the point: What you have setup for your fathers box is exactly what I am trying to do - remote access to my manjaro box via fritz box and ssh.

What I can safely rule out is the following:

  • port forwarding b/c I have set up a firewall on the manjaro box and opened it in the fritz box as “exposed host” which actually replaces port forwarding
  • firewall b/c I temporarily disabled the firewall an the exposed host
  • ISP b/c before installing manjaro I had an ubuntu box in the same circumstances and the remote access via fritz box and ssh was working out just fine - I will attach the ubuntu howto which I am used to follow to achieve this
  • IPv4 b/c I certainly have dyndns and DSL configured as usual.
  • …and to make it clear once again: I am using a mobile connection to double check the findings from remote network access to the manjaro box.

Sorry: cannot include links in the post

63

I wanted to try this, but:

IPv6 addresses are a total mystery to me.
Perhaps some kind soul can shed light on this.

ifconfig on my machine gives me this:

enp3s0: flags=-28605<UP,BROADCAST,RUNNING,MULTICAST,DYNAMIC>  mtu 1500
        inet 192.168.178.22  netmask 255.255.255.0  broadcast 192.168.178.255
        inet6 fe80::fbbb:2e21:e524:c44d  prefixlen 64  scopeid 0x20<link>
        inet6 fd00::611b:da07:77d1:a3e2  prefixlen 64  scopeid 0x0<global>
        inet6 2a02:810a:8c0:a415:6cd1:84ce:daeb:e5ea  prefixlen 64  scopeid 0x0<global>
        inet6 fd00::4840:6942:2ef7:24ac  prefixlen 64  scopeid 0x0<global>
        inet6 2a02:810a:8c0:a415:5e75:79ef:164d:9447  prefixlen 64  scopeid 0x0<global>
        ether 54:53:ed:b3:0e:45  txqueuelen 1000  (Ethernet)
        RX packets 6613395  bytes 8132312376 (8.1 GB)
        RX errors 0  dropped 248441  overruns 0  frame 0
        TX packets 2882064  bytes 384683775 (384.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sshd is running and I can connect to it
from this very same machine (to itself)
using two of these IPv6 addresses
2a02:810a:8c0:a415:6cd1:84ce:daeb:e5ea
and
2a02:810a:8c0:a415:5e75:79ef:164d:9447

My router’s address is (according to it’s interface):

Internet, IPv6

IPv6 address: 2a02:810a::11:8d2a:4dcf:adae:7ed9/64

IPv6 prefix: 2a02:810a:8c0:a415::/64

and I have set up my computer as an:

Exposed Host
(no firewall, nothing …)
with this address
::fbbb:2e21:e524:c44d

This seems to correspond to the first IPv6 address in the ifconfig output above.

Now I have my smartphone and an ssh client app on it
and need to put in the address - but so far I have not succeeded to find the correct one.
Do I connect to the router?
Or to the address of my machine?

Can anyone shed light on this what is a total mystery to me.

It is online, the port is 30201 if someone wants to test.

Is it possible that my smartphone or my mobile provider cannot deal with IPv6 addresses?
I just checked: It has got an IPv4 address
Does that mean that this won’t work anyway?
(it is a not too old Android - Samsung Galaxy A40)

I would use a different computer - but I have only this one.

64

fe80::fbbb:2e21:e524:c44d is a link-local address. They are used for directly connected hardware only.

Tried ping and ssh to your two IP addresses and I get

From 2a02:810a:0:11:8d2a:4dcf:adae:7ed9 icmp_seq=1 Destination unreachable: Administratively prohibited
# and
ssh: connect to host 2a02:810a:8c0:a415:6cd1:84ce:daeb:e5ea port 30201: Permission denied

Also, ifconfig is deprecated. You should be using ip a.

65

Visit this site whatsmyip and your external IP address will be revealed.

1 Like
66

Thank you for looking and testing!

I can connect this way - but this is of course from the same machine.

I used ifconfig because the output looks better to me …

2: enp3s0: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 54:53:ed:b3:0e:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.22/24 brd 192.168.178.255 scope global dynamic enp3s0
       valid_lft 862718sec preferred_lft 862718sec
    inet6 2a02:810a:8c0:a415:7b44:2c74:3a9:dd58/64 scope global temporary dynamic 
       valid_lft 6998sec preferred_lft 3398sec
    inet6 2a02:810a:8c0:a415:6cd1:84ce:daeb:e5ea/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 6998sec preferred_lft 3398sec
    inet6 fe80::fbbb:2e21:e524:c44d/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

@soundofthunder
Thank you as well - I got back 37.4.251.28 but this was unreachable from my phone ssh app

I will need to tinker a bit more with the router options I guess.

67

Well, send me ssh key and I’m sure I can too. :smiley:

Because you need to forward port 30201 to 192.168.178.22.

68

Most “Kabel” contracts in Germany don’t get a public reachable IPv4 address. The ISP uses DS-Lite for IPv4, which means no public reachable IPv4. Some older contracts include an own public IPv4. Depends on your specific contract. But usually IPv6 is reachable.

69

There is no key yet - just a password.
User name is jo - this should get you to the password prompt. :slightly_smiling_face:

I was just trying to educate myself about what an AFTR address is - this is some configuration option in my routers interface.

This here:

https://get.geojs.io/v1/ip

gives me this address:

2a02:810a:8c0:a415:7b44:2c74:3a9:dd58

70

Wow, wtf. And schools here (Slovenia) get an ipv4 for every connected PC. :joy:
It seems the sh*t ISPs are doing is getting more ridiculous every year. I can’t even imagine not getting static IP for free.

Well, it’s ‘Permission denied’ either way. :man_shrugging:
I’d throw those fritzboxes away the moment I’d get them. :stuck_out_tongue:

71

Thanks anyway - I’ll figure it out eventually.

It is not mine, but the providers - even if I don’t use it, they will want it back when the contract ends.
Can’t sell it …
It is actually really not a good one - when I got it, before I connected it, Wifi worked.
As soon as it came online they initiated a firmware update - Wifi with my laptop never worked again.
Eventually I’ll get one from a different Brand.

72

I found something interesting in another thread.

Check your /etc/hosts for this entry:

2a01:4f9:c010:50::1 aur.archlinux.org aur

This loopback should not even be there, but apparently was for another user;
If it exists, comment it.

73

:face_with_spiral_eyes:
When I looked at the logs 10 years ago, I saw more than a hundred login attempts every day. Since then I have only used ssh keys. Anyone who tries to log in will receive a friendly message that their password does not work and they are welcome to try again. (Because none of them would work :wink: )

It’s a plague like fruit flies (have you ever had hundreds of them?)

:footprints:

74

That was probably not correct - but password login was still enabled anyway.
and the port was not the standard 22

This was just for testing - and I have to do more.

It is no longer online - he could not reach it, I could not reach it from my smartphone.
Which is likely because - if it is actually accessible at all - my smartphone can only reach IPv4 addresses.
… which I probably indeed do not have with this provider …

I am aware of the possible threat of having this accessible.

75

Either way, your fritzbox is rejecting any attempts.

76

One might say it’s… on the fritz

I’ll see myself out…

1 Like
77

That is a common misunderstanding in this thread: with “exposed host” you do not need port forwarding to private local IPv4 address - accessing the external IPv4 address of the fritz box is sufficient. And yes, I am aware of the vulnerabilities of having no firewall in such a configuration…

About the question of private local IPv6 addresses and external reachable IPv6 addresses: This is a different story, as every IPv6 should be unique, even if it is given to a local network interface card. Possibly all with IPv6 prefix, etc. etc. this is a mistery to me, too - Please elaborate when you have found a working configuration!

78

That is just stupid wording by fritzbox then. Underneath there has to be exactly port fowarding/routing everything to that internal ip.

I don’t have fritzbox, so I’m not searching for any configuration at all. :stuck_out_tongue: As I said already, buy a Mikrotik and throw that fritzbox in the bottom drawer.

79

Not really, it is the “denglisch” version of “DMZ host”. Since nobody in Germany will understand “DMZ” in this context and exposed is basically what it is for noobs. Of course it is just rerouting every package to this specific host and not a real exposed host, but it is the same with the so called “DMZ Host”. It will not make any difference for a home user.

I use at the moment a Fritzbox and I used many Fritzboxs with different ISP connection technologies before and Port forwarding for IPv4 and IPv6 always worked as expected.

1 Like
80

Yes

“exposed host” also means in this case that this “exposed host” can not reach any device in the network (according to “fritz-box”), and that all of its ports are reachable from outside. (Maybe there are some exceptions for ports that the fritz-box needs to use itself)

So i think this is very close to what everyone calls a “DMZ”

Fritz-Box has both options.

  • exposed host (DMZ)
  • port-forwarding

But it has only one visible IP, so if you use “port-forwarding” and “exposed host”, there may be some ports missing in one or the other :wink:

:footprints: