- THE SETUP
Two machines at home, behind a residential cable modem and router:
gaia: Kubuntu 10.04, 192.168.0.103
pixel: Ubuntu 10.04, 192.168.0.104
router: DLink DI-52, 1.1.1.1 (not its real IP). The router is configured to forward ports 23 and 10002 to pixel:22, and to forward ports 22 and 10001 to gaia:22.
Two external hosts on different networks in different states:
zeus: CentOS, IP 2.2.2.2 (not its real IP) in Texas
argo: Kubuntu 10.04, IP 3.3.3.3 (not its real IP) in California
- THE PROBLEM
If I SSH from zeus to router:22, :23, :10001, or :10002, it connects fine (to gaia, pixel, gaia, and pixel, respectively).
If I SSH from argo to router:23 or :10002, it connects to pixel fine. If I SSH from argo to router:22 or :10001, it does not connect to gaia; the SYN packet is never replied to (I watched this with Wireshark on gaia to verify that gaia does not send anything back to argo). Also tested with other hosts on the same network as argo; none of them get any farther. The SSH dump (-vvv) looks like this:
@@ 08:29:04 Sat Sep 18 [user@argo - ~]$ ssh 1.1.1.1 -vvv
OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 1.1.1.1 [1.1.1.1] port 22.
debug1: connect to address 1.1.1.1 port 22: Connection timed out
ssh: connect to host 1.1.1.1 port 22: Connection timed out
@@ 08:39:00 Sat Sep 18 [user@argo - ~]$
Now, to make things even weirder: I have a VPN client on gaia that lets me get past the firewall that is on argo's corporate network. This VPN client gives gaia an additional IP (172.16.1.1, again not real). If I try to ssh to THAT IP from argo, it connects just fine.
So my question is, what the hell is going on? Does gaia for some reason just not like the IP that argo is using? gaia is a two-day-old Kubuntu install, and I haven't done anything weird like configure certain IP ranges to be blocked from connecting to sshd. And it doesn't seem like it could be something about the SYN packet that gaia doesn't like, since it WILL let argo connect if it's to the VPN IP.
EDIT: I just discovered that this problem only occurs when the VPN client is running on gaia. As soon as I shut it off, argo can connect to gaia through its public IP just fine. Any idea why this would be?
EDIT 2: My next guess is that the VPN client tells the IP stack to ignore any packets coming from the corporate firewall's public IP, to make sure that while the VPN is active, all data from gaia to the corporate network goes through the VPN, and not through the public firewall. This doesn't cause me a real problem, because I can still SSH directly to gaia using its VPN IP instead of the router's IP, but it's a little confusing.
Oh, man. I'll be perfectly honest here. I don't fully understand your problem. Not because you didn't phrase it well, it's just rather complicated. Now my brain hurts.
That being said, there are a few things you should look into. The obvious ones are firewall rules on the servers, and access lists on the routers. It only takes one typo to make your network seem confusingly broken. A picture might help? =)
Another is whether Split Tunneling enabled. It's considered a security risk, so it's often recommended to be disabled. But that can result in computers not getting access to networks that aren't on the other side of the VPN. It's possible that's borking up your connection attempts.
--Christopher Karel
There was an issue I came across one time with OpenBSD, I think, where SSHD was configured to not accept connections from source tcp ports below 1000 or something similar - it puzzled the heck out of me until I found it. The symptoms were similar - I could connect from one machine but not another for no reason I could think of.
Given the previous comments about VPN and split-tunneling though, that's a more likely culprit.