Unable to ssh between two opensuse machines

I’m trying to ssh between my laptop and desktop but I keep getting connection refused.

  1. I opened port 22 (TCP) in both firewalls (source and destination)
  2. I also tried with both firewalls turned off
  3. I checked and openssh is installed

I won’t even ask for a password. What could be wrong?

No problem here.

Is the ssh server running?

It is running and I now have it working with the firewall off, but with the firewall on it doesn’t work!

In the firewall GUI, I went to “Custom Rules” and added the following rules (none work) for Internal network:

#The actual laptop ip destination port: 22 destination port: 22 source port 22

#Router IP destination port: 22 destination port: 22 source port: 22

#allow everything
0/0 destination port: 22
0/0 destination port: 22 source port: 22

#all in my network destination port: 22 destination port: 22 source port: 22

NONE of these rules has allowed ssh through!

Those rules are surely wrong. The source port and destination port won’t both be 22.

You should just be able to go into Yast Firewall

Select “Allowed Services”
Select the appropriate zone (it should be the zone that your network card is in (the network card that you expect to use for ssh). I think the external zone covers unassigned network cards.

Select “Secure Shell Server” in service to allow. Click “Add”.

I usually configure this during install. With the DVD installer (and, I think, the NET installer), the summary page has place to click to enable ssh and to open the firewall. But I occasionally forget to do it there, and do it in firewall settings as described above.

Also using the -vvv option will add more info on what’s happening…

ssh -vvv <host>

I first tried with just destination as port 22 and it didn’t work so i also tried the other way. Those are all the separate rules I tried since nothing worked.

No, this doesn’t work for internal netowrk. They’re all greyed out (and already under the “add” section, but greyed out). You can only do what you suggest for external.

Toward the bottom of that Yast firewall settings page, there is a box “Protect from internal zone”. You have to check that box before you can set anything. That’s probably why it is greyed out.

The default is no firewall protection.

It seems to follow that you are not actually using the internal zone. It is probably the external zone that matters.

The term “internal zone” is confusing. It is not referring to your LAN. Rather, it is referring to network connections received on an interface that is considered external. You cannot separate connections from the internet from connections from your LAN via internal/external, unless you have two interfaces.

If you are behind a NAT router and do not use IPv6, then you can probably just disable the firewall and depend on your NAT router to protect from the Internet. But that’s risky with IPv6, since NAT protection doesn’t work there.

I guess but in external, there’s no way (that i could see) to turn on sshf for just one ip or just the 192.168.1.x network. I don’t want it turned on for anyone else

The Firewall is blocking on Traffic on your Netcard, the Netcard has an IP…

So Firewall is on on (Laptop)

Not sure what you’re referring to with netcard, what do you mean?

It’s not the laptop’s firewall. If I turn off the desktop firewall, everything works.

It’s the firewall on the server (the one running “sshd”) that matters. Outbound network traffic is always allowed because it is initiated locally.

I used to rely on tcpwrappers to limit inbound connections, so I left the firewall open for sshd. After libwrap support was removed, I continued to leave it open and got lots of breakin attempts from the Internet. But I’m allowing only publickey authentication, so I wasn’t seriously worried about those breakin attempts (the depend on password authentication and weak passwords). But they did add a lot of noise to the logs.

I no longer need to be able to connect from work, so I just closed down the port 22 forwarding on the NAT router. I don’t think I have seen any breakin attempts since then, though it is technically possible if the attacker uses IPv6.

How do I only open it to the internal network?

I’m think you could try your custom rule on the server in Yast again but omit the setting for the source port. eg/.for my (main) LAN, I would just have:

Source Network:
Protocol: TCP
Destination Port: 22

Alternatively, as is being suggested, you might be able to use your router to ensure requests can only come from within your LAN.

With NAT, I believe you have to specifically tell the router what do do with an incoming request (eg. set up port forwarding) otherwise a port is effectively blocked by default.

As far as I understand it, with IPv6, you are looking at “direct connections”, ie. bypassing/no need for NAT. I’d have thought an IPv6 capable home router (mine is btw but I don’t have IPv6 ISP addresses yet) should allow you to have a firewall rule to block all incoming requests by default.

Whatever, it’s best to read your router’s documentation.

Turns out internal network does nothing. So adding the custom rule to external but pointed to my other computer’s internal ip (192.168.1.x) makes this work.