Incoming connections after 13.2 upgrade

kachnitel · November 12, 2014, 6:21am

Hello!
I have just upgraded my OpenSUSE laptop from 13.1 to 13.2, and since then I can’t seem to be able to access any of the services I use (SSH and KdeConnect).

I do have the required ports open, even tried stopping the firewall, but when I try to connect to SSH (sshd’s running) or Kdeconnect, it cannot see the computer at all.

I’m trying to connect from 192.169.1.64 (to 192.168.1.68), here’s dmesg:

 8668.108367] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC=00:90:a2:d1:52:eb:a8:39:44:f6:10:28:08:00 SRC=114.177.119.165 DST=192.168.1.68 LEN=293 TOS=0x00 PREC=0x00 TTL=112 ID=8812 PROTO=UDP SPT=13526 DPT=7881 LEN=273  8669.568880] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC=00:90:a2:d1:52:eb:a8:39:44:f6:10:28:08:00 SRC=114.177.119.165 DST=192.168.1.68 LEN=293 TOS=0x00 PREC=0x00 TTL=112 ID=8958 PROTO=UDP SPT=13526 DPT=7881 LEN=273 
 8670.175696] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:0290:a2ff:fed1:52eb DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=84 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=44 
 8674.438657] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:0290:a2ff:fed1:52eb DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=105 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=65 
 8798.293791] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:0290:a2ff:fed1:52eb DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=84 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=44 
 8801.482297] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=192.168.1.68 DST=224.0.0.251 LEN=64 TOS=0x00 PREC=0x00 TTL=255 ID=40076 DF PROTO=UDP SPT=5353 DPT=5353 LEN=44 
 8802.523665] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:0290:a2ff:fed1:52eb DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=105 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=65 
 8802.523732] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=192.168.1.68 DST=224.0.0.251 LEN=85 TOS=0x00 PREC=0x00 TTL=255 ID=40129 DF PROTO=UDP SPT=5353 DPT=5353 LEN=65 
 8809.326752] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC=00:90:a2:d1:52:eb:a8:39:44:f6:10:28:08:00 SRC=177.229.214.15 DST=192.168.1.68 LEN=95 TOS=0x00 PREC=0x00 TTL=111 ID=23855 PROTO=UDP SPT=54995 DPT=7881 LEN=75 
 8876.184191] show_signal_msg: 96 callbacks suppressed
 8876.184195] chromium[26224]: segfault at 1f8 ip 00007f6e2bfcfc78 sp 00007fff066c6560 error 4 in i965_dri.so[7f6e2bc88000+4fd000]
 8876.389325] chromium[26233]: segfault at 1f8 ip 00007f9577e7dc78 sp 00007fff262fe6c0 error 4 in i965_dri.so[7f9577b36000+4fd000]
 8876.574865] chromium[26247]: segfault at 1f8 ip 00007f7374616c78 sp 00007fff5e32b860 error 4 in i965_dri.so[7f73742cf000+4fd000]
 9054.478309] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:0290:a2ff:fed1:52eb DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=84 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=44 
 9057.653064] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=192.168.1.68 DST=224.0.0.251 LEN=64 TOS=0x00 PREC=0x00 TTL=255 ID=38335 DF PROTO=UDP SPT=5353 DPT=5353 LEN=44 
 9058.693026] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:0290:a2ff:fed1:52eb DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=105 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=65 
 9058.693100] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=192.168.1.68 DST=224.0.0.251 LEN=85 TOS=0x00 PREC=0x00 TTL=255 ID=39172 DF PROTO=UDP SPT=5353 DPT=5353 LEN=65

kachna:~ # cat /var/log/firewall |tail2014-11-11T21:05:00.542622-08:00 kachna kernel:  8674.438657] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:0290:a2ff:fed1:52eb DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=105 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=65 
2014-11-11T21:07:04.316635-08:00 kachna kernel:  8798.293791] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:0290:a2ff:fed1:52eb DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=84 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=44 
2014-11-11T21:07:07.502620-08:00 kachna kernel:  8801.482297] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=192.168.1.68 DST=224.0.0.251 LEN=64 TOS=0x00 PREC=0x00 TTL=255 ID=40076 DF PROTO=UDP SPT=5353 DPT=5353 LEN=44 
2014-11-11T21:07:08.543628-08:00 kachna kernel:  8802.523665] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:0290:a2ff:fed1:52eb DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=105 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=65 
2014-11-11T21:07:08.543644-08:00 kachna kernel:  8802.523732] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=192.168.1.68 DST=224.0.0.251 LEN=85 TOS=0x00 PREC=0x00 TTL=255 ID=40129 DF PROTO=UDP SPT=5353 DPT=5353 LEN=65 
2014-11-11T21:07:15.341473-08:00 kachna kernel:  8809.326752] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC=00:90:a2:d1:52:eb:a8:39:44:f6:10:28:08:00 SRC=177.229.214.15 DST=192.168.1.68 LEN=95 TOS=0x00 PREC=0x00 TTL=111 ID=23855 PROTO=UDP SPT=54995 DPT=7881 LEN=75 
2014-11-11T21:11:20.332610-08:00 kachna kernel:  9054.478309] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:0290:a2ff:fed1:52eb DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=84 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=44 
2014-11-11T21:11:23.505623-08:00 kachna kernel:  9057.653064] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=192.168.1.68 DST=224.0.0.251 LEN=64 TOS=0x00 PREC=0x00 TTL=255 ID=38335 DF PROTO=UDP SPT=5353 DPT=5353 LEN=44 
2014-11-11T21:11:24.544609-08:00 kachna kernel:  9058.693026] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:0290:a2ff:fed1:52eb DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=105 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=65 
2014-11-11T21:11:24.544624-08:00 kachna kernel:  9058.693100] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC= SRC=192.168.1.68 DST=224.0.0.251 LEN=85 TOS=0x00 PREC=0x00 TTL=255 ID=39172 DF PROTO=UDP SPT=5353 DPT=5353 LEN=65

SuSEfirewall2 status:
https://gist.github.com/kachnitel/adf7c97af7f71887352a

I’ve looked into the Wicked system, but haven’t found any related setting or something to try…therefore I apologize if my post is lackluster, but I’ve got stuck at this point with absolutely no idea what’s wrong.

I’d be rather thankful for any idea or direction where to look!

Thanks!

ab · November 12, 2014, 1:19pm

dmesg output is not that helpful for this usually and in particular these
are logs of UDP packets to other ports; instead what you can do is
show/prove configuration via commands like the following (assuming TCP 22
for the SSH service):

[CODE[
#From the server, show the listening service:
sudo /usr/sbin/ss -planeto | grep :22

#and relevant firewall configuration:
sudo /usr/sbin/iptables -nvL | grep :22
sudo /usr/sbin/iptables-save | grep :22

#It can help to connect to the service locally to ensure everything else
#is okay
ssh user@localhost

#From the client side, do a simple port test:
netcat -zv server.ip.goes.here 22

#and of course, the connection you want itself:
ssh -vvv your-user@sshserver.ip.goes.here

#It may be useful to get IP and route information from BOTH client and
#server
ip addr
ip route



--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

kachnitel · November 12, 2014, 5:25pm

Thanks! I’ve tried going through it, the local tests don’t seem to give me much:

kachna:~ # /usr/sbin/ss -planeto | grep :22     LISTEN     0      128                       *:22                       *:*      users:(("sshd",pid=892,fd=3)) ino:18596 sk:ffff8800c2f23780 <->
LISTEN     0      128                      :::22                      :::*      users:(("sshd",pid=892,fd=4)) ino:18598 sk:ffff8800c2e0e800 <->

kachna:~ # /usr/sbin/ss -planeto | grep :1714
LISTEN     0      50                        *:1714                     *:*      users:(("kdeconnectd",pid=15777,fd=9)) uid:1000 ino:768674 sk:ffff88009d14c780 <->

kachna:~ # sudo /usr/sbin/iptables -nvL | grep :22

    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:22 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
kachna:~ # sudo /usr/sbin/iptables-save | grep :22
# no output here, googled around, but I understood it shouldn't be the issue?

kachna:~ # ssh kachna@localhost
Password: 
Last login: Tue Nov 11 21:52:52 2014 from console
Have a lot of fun...
Agent pid 30257
Identity added: /home/kachna/.ssh/id_rsa (/home/kachna/.ssh/id_rsa)
kachna@kachna:~> exit
logout
Connection to localhost closed.

kachna:~ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:90:a2:d1:52:eb brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.68/24 brd 192.168.1.255 scope global dynamic wlp2s0
       valid_lft 85747sec preferred_lft 85747sec
    inet6 fe80::290:a2ff:fed1:52eb/64 scope link 
       valid_lft forever preferred_lft forever
3: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 20:89:84:92:f3:9b brd ff:ff:ff:ff:ff:ff


kachna:~ # ip route
default via 192.168.1.254 dev wlp2s0  proto static  metric 1024 
192.168.1.0/24 dev wlp2s0  proto kernel  scope link  src 192.168.1.68

However, the netcat and actual SSH both say EHOSTUNREACH (no route to host), which I didn’t see just checking the connection before - I’m trying to connect from an Android, haven’t yet found verbose enough tools.

Could that possibly be a problem with the router? I don’t have much access to it, but I could perhaps try rebooting it to refresh the DHCP tables, but IIRC, my IP didn’t change, and even if it did, I see no reason for this behavior.

kachnitel · November 12, 2014, 6:17pm

**** I’ve messed up the format a bit, couldn’t find a way to edit :-/

Anyways, I tried to use my brain a bit, and actually properly looked into the iptables-save, but it now looks alright to me:

kachna:~ # sudo /usr/sbin/iptables-save | grep 22-A input_ext -p udp -m pkttype --pkt-type broadcast -m udp --dport 1722 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 1722 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 1722 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -p udp -m udp --dport 1722 -j ACCEPT

ab · November 12, 2014, 6:31pm

Nice work on the commands. Yes, they show what appears to be a
properly-configured SSH service/server.

I’m going to pretend you do not know anything about networking; no
offense, but it’ll explain why I’m explaining as I am. Feel free to skim
the parts that are completely obvious.

First, how are you accessing your SSH server? If by IP address, skip over
this, but if not, perhaps a problem is there. A host unreachable error
makes me think that this is not the problem, but if you are trying to
access it by hostname then perhaps that is not properly resolving to an IP
address. That should return a different error, but it’s a common problem.

Next, perhaps network settings are not set consistently between client and
server. Your server looks like a normal-ish class C-ish assignment on a
private network (192.168.1.x). What does your Android have set? Could
you possibly have multiple networks, with Android on one and the server on
the other? I’m guessing not, but that kind of thing may cause this error,
depending on the network setup. If you Android device happened to hook
onto another nearby network with the same IP ranges, that would cause this
error. Your router may be able to give you a list of connected devices,
to help verify all is well here.

Also, can you ping from your Android device to your computer? By default,
at last up through 13.1, pinging should work out of the box, including
with the firewall in its default mode. If that does not work, then
higher-layer protocols (like TCP) will likely fail. Maybe try pinging
from openSUSE to the Android device too.

Finally, this is pretty silly, but if your Andvoid device is not at home
(or wherever your 192.168.1.x network is) then it will almost certainly
never be able to connect there, and definitely not by the 192.168.1.x
address. This is really basic, and since you had it working before I
think you know this, but just in case, private networks (192.168.x.x,
172.16.x.x, 10.x.x.x) cannot be accessed from the Internet, so a common
beginner mistake is to try to access 192.168.1.1 at home from work or a
library; it’ll never work without some other work to forward traffic from
a real address, or without being on the network itself.

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

kachnitel · November 12, 2014, 7:09pm

Thanks a lot, nice writeup! It indeed does appear a lot like the computer is not on the same network from the outside (client).

When I scan the network with Fing (https://play.google.com/store/apps/details?id=com.overlook.android.fing&hl=en), it doesn’t see the computer at all, so I keep making sure it’s on the same network, but it is in the same /24 subnet, but ping doesn’t work either way. I tried pinging between my 2 androids, and that appears to work.

I took my other Android to play (the first is rooted, but worked with the laptop just fine before the upgrade), and that one can ping both the laptop and the rooted phone. So I tried to have a look what the laptop can see:


kachna@kachna:~> sudo nmap -sP 192.168.1.0/24
root's password:


Starting Nmap 6.47 ( http://nmap.org ) at 2014-11-12 10:00 PST
Nmap scan report for 192.168.1.73
Host is up (0.012s latency).
MAC Address: 60:2A:D0:5F:A7:00 (Cisco Spvtg)
Nmap scan report for 192.168.1.74
Host is up (0.0099s latency).
MAC Address: 50:39:55:E8:8B:16 (Cisco Spvtg)
Nmap scan report for 192.168.1.75
Host is up (0.013s latency).
MAC Address: CC:0D:EC:03:F4:60 (Cisco Spvtg)
Nmap scan report for 192.168.1.79
Host is up (0.080s latency).
MAC Address: 08:FD:0E:EC:89:E9 (Samsung Electronics Co.)
Nmap scan report for 192.168.1.82
Host is up (-0.092s latency).
MAC Address: F8:0F:41:A6:6E:17 (Wistron InfoComm(ZhongShan))
Nmap scan report for 192.168.1.84
Host is up (0.042s latency).
MAC Address: A8:26:D9:53:01:B1 (HTC)
Nmap scan report for 192.168.1.254
Host is up (-0.093s latency).
MAC Address: A8:39:44:F6:10:28 (Actiontec Electronics)
Nmap scan report for 192.168.1.68
Host is up.
Nmap done: 256 IP addresses (8 hosts up) scanned in 5.73 seconds
kachna@kachna:~> sudo nmap -sP 192.168.1.0/24


Starting Nmap 6.47 ( http://nmap.org ) at 2014-11-12 10:00 PST
Nmap scan report for 192.168.1.64
Host is up (0.10s latency).
MAC Address: D8:B3:77:34:33:32 (HTC)
Nmap scan report for 192.168.1.73
Host is up (0.011s latency).
MAC Address: 60:2A:D0:5F:A7:00 (Cisco Spvtg)
Nmap scan report for 192.168.1.74
Host is up (0.021s latency).
MAC Address: 50:39:55:E8:8B:16 (Cisco Spvtg)
Nmap scan report for 192.168.1.75
Host is up (0.021s latency).
MAC Address: CC:0D:EC:03:F4:60 (Cisco Spvtg)
Nmap scan report for 192.168.1.79
Host is up (0.15s latency).
MAC Address: 08:FD:0E:EC:89:E9 (Samsung Electronics Co.)
Nmap scan report for 192.168.1.82
Host is up (0.020s latency).
MAC Address: F8:0F:41:A6:6E:17 (Wistron InfoComm(ZhongShan))
Nmap scan report for 192.168.1.254
Host is up (0.016s latency).
MAC Address: A8:39:44:F6:10:28 (Actiontec Electronics)
Nmap scan report for 192.168.1.68
Host is up.
Nmap done: 256 IP addresses (8 hosts up) scanned in 4.28 seconds

Apparently it can see both the phones, but it seems when one is idle for a brief period of time, nmap doesn’t see it, not sure what does that mean, but considering the .84 can now SSH to the computer, I suspect the problem is elsewhere than the laptop? The .64 can, however, communicate with .84, so I have no idea why couldn’t it connect to .68 - the Suse laptop

kachnitel · November 12, 2014, 9:54pm

Alright, I’ve done some TCPdump and I’m closer to conclude it’s an issue in the router, because I (192.168.1.68) am on the same router as 192.168.1.64, yet if I try to ping myself from that IP, there’s no packets coming my way at all:


tcpdump -i wlp2s0 -n -nn -e host 192.168.1.64 -vvv
tcpdump: listening on wlp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

Time to find that machine I suppose…

kachnitel · November 14, 2014, 7:34pm

Just wanted to post a solution here, in case someone encounters this:

After further research I figured out there’s apparently something wrong with multicast on the network, with no apparent misconfiguration in the router nor anywhere else. Since the issue indeed turned out after OpenSuse upgrade, I figured the wl driver may have changed, so I’ve looked around for a different version.

The version that came with my 13.2 upgrade was

6.30.223.141

And I’ve found

6.30.223.248

In home:linux_salonica repo, which fixed the issue.

The broadcom card is 14e4:4365, or Broadcom Corporation BCM43142 802.11b/g/n (rev 01), if anyone’s interested!