0

I would like to enable SSH connections on an additional port on my machine, for reasons. It is a physical machine (not a VM), running Devuan GNU/Linux Chimaera (~= Debian 11.0 without systemd). The default SSH server (OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1k) is running fine and accepting connections on port 22 already.

I've added two Port entries to my /etc/sshd_config:

Port 22
Port 5123

and have restarted the service.

What I now experience is that from within the same machine, I can connect to both ports (ssh -p 5123 localhost works); but from other machines on the LAN, I can only connect to port 22. This is a physical LAN (cables running to a switch), so there should be no blockage along the way.

  • I couldn't find any mention of a rejected connection in /var/log/auth.log.
  • I checked /etc/hosts.allow and /etc/hosts.deny - they're both empty (except for comment lines).
  • I tried iptables --list - all tables are empty.

So, what could be blocking the connection on port 5123 from other machines, and how can I unblock it?

Edit: Additional information:

# lsof -Pi :5410
COMMAND   PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
sshd    27566 root    3u  IPv4 19305483      0t0  TCP *:5410 (LISTEN)
sshd    27566 root    4u  IPv6 19305485      0t0  TCP *:5410 (LISTEN)

# iptables-save
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
# iptables-legacy-save 
# Generated by iptables-save v1.8.7 on Sun Oct 10 09:30:15 2021
*filter
:INPUT DROP [3837243:374065333]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8124295:583169789]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sun Oct 10 09:30:15 2021

So it looks like there's a rule for accepting port 22 as input, but no such rule for port 5123. The question remains, though - what's the cause of this situation?

# cat /etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0;
    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;
    }
}

On Debian 11, and Devuan Chimaera, iptables is actually a symlink:

# readlink  `which iptables`
/etc/alternatives/iptables
# readlink -f `which iptables`
/usr/sbin/xtables-nft-multi
einpoklum
  • 1,652
  • 3
  • 21
  • 31
  • `iptables-save` + `nft list ruleset` (test both or only the later) would really tell there is no firewall. `iptables --list` displays only one of multiple possible tables (and in a format that can't be reused anyway). Just to rule out this possible cause and move on to other guesses. – A.B Oct 09 '21 at 10:00
  • hows about first anf easy `lsof -Pi :5123` to verify that the port is listed to anywhere. since you did not tell which hoster the server beeing be, we need more, a hell more context – djdomi Oct 09 '21 at 21:37
  • @A.B: See edit. – einpoklum Oct 10 '21 at 06:37
  • @djdomi : See edit. – einpoklum Oct 10 '21 at 06:37
  • Between "I tried iptables --list - all tables are empty" and the actual firewall rules with default drop... it certainly changed. Then there's also (probably empty but who knows?) rules using the former API (`iptables-legacy-save`). – A.B Oct 10 '21 at 06:58
  • Maybe `iptables` is symlinked to `iptables-legacy` while `iptables-save` and `iptables-restore` are linked to `iptables-nft-save` and `iptables-nft-restore` (aka `xtables-nft-multi`) which would explain this part. – A.B Oct 10 '21 at 07:09
  • still missing information what hoster is used. – djdomi Oct 10 '21 at 11:12
  • @djdomi: I didn't quite understand what you meant in that second sentence... "hoster"? "beeing be"? – einpoklum Oct 10 '21 at 19:10
  • @A.B: Yes, it's linked to `xtables-nft-multi`. – einpoklum Oct 10 '21 at 19:12
  • do you host on your own or use a public hoster ehich might be the issue.some ports are on different hosters blocked – djdomi Oct 10 '21 at 19:31
  • @djdomi: I'm discussing physical machines on a physical LAN, nobody is hosting anything... :-P – einpoklum Oct 10 '21 at 19:33

0 Answers0