On Thu, Nov 05, 2009 at 10:03:33PM +0000, Brett Parker wrote:
*BUT* ssh from outside doesn't work, no response at all, it just times out. ssh from inside works fine. I've tried winding up debug to maximum on ssh but it hasn't told me anything. I've stared intently at the port forwarding, NAT and firewall set-up on the 2820n and it all seems correct. Oh, and I can 'ping 81.158.147.90' OK from the outside.
I'm stumped, any ideas for how to diagnose this?
The packets are going back out the wrong route, and so getting dropped. (this makes the assumption that the default route is via the other router)... so, you'll need to do funkeh routing. Without actually thinking about the issue, I can't offer an easy solution... but if I get a chance in a bit I'll do some tests with a bunch of vms ;)
I think all you're going to need to do though is something like (on the machine that is accepting the ssh): ip route add default via <2wiresip> table 10 iptables -t mangle -A PREROUTING --proto tcp --source-port 22 -j MARK --set-mark 1 ip rule add fwmark 1 table 10
But that's guess work... should work though, probably.
Typically, after (or perhaps because of) explaining it all I hit on a solution, or at least a way to get to one. I turned the firewall off (not for long!) and it worked. So I have been removing and adding firewall rules one by one to find the culprit. It's something subtle to do with having two firewall rules for the same TCP port number but I can at least get it to work now without relaxing the firewall rules all that much and I think with a little further experimentation I'll heve it tied down tightly again.