Need SSH help

i’ve got a IPcop firewall at home with two SUSE boxes and one win box. from my win machine at work i can remotely ssh to the IPcop firewall through putty, no prob. just had to create a firewall rule. i’ve setup ultravnc to view my win box desktop remotely, no prob. i just had to setup a port forward firewall rule on the IPcop.

im now trying to log into one of my suse boxes through ssh. i created another firewall rule: port forward source port 12345 to the suse box’s ip, port 22. i get a connection time out. is there anything i need to setup on the suse box?

It sounds a bit ridiculous, but as you do not mention it, I have to ask the question: did you start the SSH daemon on the openSUSE box?

do you mean to allow ssh access? on my local network i can putty to the box. from the other suse box i can ssh through the terminal to the box.


I think he means

yast->system->system service: click on sshd: click enable


in the opensuse firewall did you allow ssh from external zones aswell as internal?

Also if you have a router it should forward port 22 to the local network IP of the suse computer.


Still this sounds like a firewalling issue , if the SuSEfirewall2 is still running on the target machine (which will not be needed behind the IPcop), turn it off, also check port forwarding in IPCop.

Yes, I meant using YaST to start ssh (now and on every boot) as Barry_Nichols points out.

But when you are able to use ssh from another system to this system that must be OK.

And @Barry_Nichols: no he need not to forward port 22 of the router to port 22 of his system, because he forwarded another (less obvious to the outside world) port (represented by 12345 in his first post) to port 22 on his system.

And at last yes, I support Akoellha advice to doublecheck and switch the SuSEfirewall2 off.

Henk, AFAIK :

port 12345 from the router should be forwarded to the IP of machine 1. On machine 1 in /etc/ssh/sshd_config the line

Port 22

should be changed to
Port 12345
Same on machine 2

Now from ‘work’ using ssh should look like this:

ssh homeIP -p 12345

This would land on machine 1. From machine 1 to machine 2 would be:

ssh machine2sIP

That’s all. If you mess with portnumbers being different on various stages of the routing that will likely bring you into trouble.

Mind, if you have the firewall running you’d have to open port 12345.

Hm, I thought port-translation (including NAT: from Internet to port 12345 on router, translate to port 22 on particular-system) is one of the things I have heard more often from. It keeps your internal ports standard. Can’t see problems with this principle. You can then even translate 12345 to 22 on system1 and 12346 to 22 on system2.

Can anyone tell us if this is not only a possible, but also often done, or am I talking nuts?

I am using this (even twice) to make a VM accessible via SSH, although it’s more “playing around”.

My VM (openSUSE_Factory in VirtualBox) runs SSH on port 22 via a NATed virtual interface.

As a normal user can not open ports < 1024 (and I don’t want to start the VM as root), I configured VirtualBox to redirect port 22 of the guest to port 12345 (just an example) of the host.

Locally I can ssh to the VM via port 12345.

In SuSEfirewall2 I redirect incoming traffic on port 22 to port 12345.

So if I ssh from outside to port 22, first SuSEfirewall2 (which is iptables “in the background” of course) redirects this to port 12345 and subsequently VirtualBox redirects this to port 22 in the VM.

Simple, but effective.

Maybe the description was confuding due to the fact, that I run openSUSE_Factory in VirtualBox on openSUSE 11.1 without mentioning it.

So it goes like this:

SSH via Port 22 from WWW => openSUSE 11.1 => Redirect of SuSEfirewall2 running on host openSUSE 11.1 from 22 (host) to 12345 (host) => Redirect from local port 12345 on host with VirtualBox (NAT) to => port 22 openSUSE_Factory (guest)

I also have another SSHD running on the host machine, which is on a non-standard port and “masked” by port-knocking.

(Yes, one of the ideas is to use the VM as a honeypot, “just for fun”.)

When I understand correctly what you explain, my understanding is that you are using the same mechanism (port forwarding with translation) but in your case the other way around. Not translating Internet to 12345 on the router into 22 on system1, but translating 22 on system into 12345 on virtualsystem. Which not only shows that it functions (but you have of course be aware of what port is what on what system), but also that it has more applications.

im trying to understand all this but im still learning. ok, just to get everything clear, the one suse box is my desktop (suse11) and the other suse box is my file server (also susse11). im having trouble logging into my file server from my office at work. so here’s what i’ve done so far: from my desktop, terminal>ssh file-server-ip -p 22. typed in the command
service sshd status
checking for service sshd running

just after my last post yesterday, i logged into my desktop from my file-server and vice versa. this morning, logged into my file-server from my desktop and issued the command:
rcSuSEfirewall2 stop
and the firewall was stopped. i tried again to log into the file-server through the port but no luck. my winbox and desktop (SUSE) receive addresses assigned by ipcop and ive created static addresses for them. but with the file-server i had to statically assign the ip address because it did not respond to the DHCP server. would that have anything to do with it?

The -p 22 is not needed there as it is the standard ssh port. When you can log in that proofs that the sshd is running, no need to see if the daemon runs.

I am not sure I can quite follow this, but you need a static IP adress in any case, else you do not know where to forward to.

Can I say in short:
. inside your LAN you can SSH from desktop to file-server and vv.
. you have configured a fowarding rule on your router that should forward traffic from the internet to your router port 12345 to file-server port 22.
. when you use some Redmond box on the internet to SSH to 12345 on the router this fails (even with SuSEFirewall2 on file-server switched off).

Is that correct?
I see two possible culprits here:

  1. your router, maybe it does not function as you think it does. I do not know the brand, maybe other can help you;
  2. the Redmond stuff you use. You seem quite confident it can function as a SSH client. As I know nothing of Redmond systems, I am afraid I can not comment on tthis.

thanks for the response. i’ve bridged my DSL router through to my IPcop firewall. all port forward and external access is configured on ipcop.

what do you mean by Redmond stuff?

Hash: SHA1

windows… microsoft is based in Redmond, Washington.

Good luck.

heinstein86 wrote:
> thanks for the response. i’ve bridged my DSL router through to my IPcop
> firewall. all port forward and external access is configured on ipcop.
> what do you mean by Redmond stuff?
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Sorry, it is one of those ways to give a name to what a lot of people dare not speak out loud. lol!
It is as explained. I did not want to make my story more difficult to you and appologize.

no don’t worry. nothing to apologize for. ive converted from redmond to SUSE because of the endless troubles.

i use putty for the CLI interface to login to remote computers. just having trouble logging in to my file server - connection time out. can the NIC cause the time out?