[SOLVED] Direct connection

theking2 · 2015-11-21 14:03:04

To sync two servers I've connected them directly over a second ehternet port and set fixed ipv4 adresses: The two servers can ping each other and are routed correcty:

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.111.1   0.0.0.0         UG    0      0        0 eth0
10.10.10.8      *               255.255.255.252 U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.111.0   *               255.255.255.224 U     0      0        0 eth0

# ip route
default via 192.168.111.1 dev enp2s0  metric 203
10.10.10.8/30 dev enp1s0  proto kernel  scope link  src 10.10.10.8
192.168.111.0/27 dev enp2s0  proto kernel  scope link  src 192.168.111.8  metric 203

I want to setup a rsync between the two so I test a ssh, but am unable to connect and get time outs.
What do I do wrong or is there another way to directly transfer/sync between two pc over a dedicated ethernet connection?

Last edited by theking2 (2015-12-19 13:07:02)

Rob_H · 2015-11-21 14:43:19

Do you have sshd installed and configured correctly? Any software firewall in use?

You can try running nmap from one machine to see what TCP ports show as open on the other.

theking2 · 2015-11-22 09:00:11

I can connect to both machine over their first ethernet port. The two auxiliary ports were configured with fixed IP addresses. Routing seems fine as they both see each other. Not sure if any additional ssh configuration is needed though.

Rob_H · 2015-11-22 13:56:43

Your SSH daemon might be listening on only one interface. Use nmap from the client as I suggested earlier to see if the port is open on the second interface or ss -tuna on the machine with the SSH daemon running to see what interfaces/ports it's listening on.

igorek24 · 2015-11-24 01:28:55

It also could be the firewall if you have it installed.

fukawi2 · 2015-11-24 02:50:33

I assume eth1 / 10.10.10.8/24 is the second interface and subnet?
What is the output of the following commands on both machines?

ip a s
ss -tnlp | grep sshd
iptables-save

(Use code tags when posting results!)

theking2 · 2015-12-08 22:04:33

# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UP group default qlen 1000
    link/ether fc:aa:14:97:d8:42 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.8/32 scope global enp1s0
       valid_lft forever preferred_lft forever
    inet 10.10.10.8/30 brd 10.10.10.11 scope global enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::feaa:14ff:fe97:d842/64 scope link
       valid_lft forever preferred_lft forever
3: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UP group default qlen 1000
    link/ether fc:aa:14:97:d8:40 brd ff:ff:ff:ff:ff:ff
    inet 192.168.111.8/27 brd 192.168.111.31 scope global enp2s0
       valid_lft forever preferred_lft forever
    inet6 fe80::feaa:14ff:fe97:d840/64 scope link
       valid_lft forever preferred_lft forever

# ss -tnlp | grep sshd
LISTEN     0      128          *:22                       *:*                   users:(("sshd",pid=1532,fd=3))
LISTEN     0      128         :::22                      :::*                   users:(("sshd",pid=1532,fd=4))

# iptables-save
# Generated by iptables-save v1.4.21 on Tue Dec  8 23:03:48 2015
*filter
:INPUT ACCEPT [8268753:1299132704]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12525645:47499212443]
:sshguard - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j sshguard
-A sshguard -s 193.104.41.54/32 -j DROP
-A sshguard -s 27.76.224.116/32 -j DROP
-A sshguard -s 113.175.15.239/32 -j DROP
-A sshguard -s 103.243.107.56/32 -j DROP
-A sshguard -s 43.229.53.57/32 -j DROP
-A sshguard -s 59.45.79.39/32 -j DROP
-A sshguard -s 43.229.53.53/32 -j DROP
-A sshguard -s 43.229.53.20/32 -j DROP
COMMIT
# Completed on Tue Dec  8 23:03:48 2015

c0mm0ner · 2015-12-08 23:07:30

Try to connect from one machine to the other via the direct link with

ssh -vvv

and post the output.

theking2 · 2015-12-09 14:09:58

c0mm0ner wrote:

Try to connect from one machine to the other via the direct link with
ssh -vvv
and post the output.

$ ssh -vvv 10.10.10.10
OpenSSH_7.1p1, OpenSSL 1.0.2e 3 Dec 2015
debug1: Reading configuration data /home/j/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.10.10.10 [10.10.10.10] port 22.
debug1: connect to address 10.10.10.10 port 22: Connection timed out
ssh: connect to host 10.10.10.10 port 22: Connection timed out

As I can connect from server A to server B and vv over there main IP or host I expect not a port blocking issue.

Last edited by theking2 (2015-12-09 14:46:16)

theking2 · 2015-12-09 14:48:49

Rob_H wrote:

Your SSH daemon might be listening on only one interface. Use nmap from the client as I suggested earlier to see if the port is open on the second interface or ss -tuna on the machine with the SSH daemon running to see what interfaces/ports it's listening on.

ss -tuna | grep :22
tcp    LISTEN     0      128       *:22                    *:*
tcp    ESTAB      0      64     192.168.111.8:22                 212.117.124.138:63278
tcp    ESTAB      0      0      192.168.111.8:22                 192.168.111.23:61406
tcp    ESTAB      0      0      192.168.111.8:50030              185.82.216.164:22
tcp    ESTAB      0      0      192.168.111.8:22                 192.168.111.23:56010
tcp    ESTAB      0      0      192.168.111.8:55772              23.238.17.229:22
tcp    LISTEN     0      128      :::22                   :::*

so I think it is listening on all interfaces (??)

Last edited by theking2 (2015-12-11 19:05:25)

theking2 · 2015-12-09 14:53:34

Rob_H wrote:

Do you have sshd installed and configured correctly? Any software firewall in use?
You can try running nmap from one machine to see what TCP ports show as open on the other.

]# nmap -v -sn 10.10.10.8/30

Starting Nmap 7.00 ( https://nmap.org ) at 2015-12-09 15:54 CET
Initiating Parallel DNS resolution of 1 host. at 15:54
Completed Parallel DNS resolution of 1 host. at 15:54, 0.02s elapsed
Nmap scan report for 10.10.10.8
Host is up.
Initiating ARP Ping Scan at 15:54
Scanning 3 hosts [1 port/host]
Completed ARP Ping Scan at 15:54, 0.23s elapsed (3 total hosts)
Initiating Parallel DNS resolution of 3 hosts. at 15:54
Completed Parallel DNS resolution of 3 hosts. at 15:54, 0.05s elapsed
Nmap scan report for 10.10.10.9 [host down]
Nmap scan report for 10.10.10.10
Host is up (0.00016s latency).
MAC Address: 00:08:9B:EA:79:76 (ICP Electronics)
Nmap scan report for 10.10.10.11 [host down]
Read data files from: /usr/bin/../share/nmap
Nmap done: 4 IP addresses (2 hosts up) scanned in 0.36 seconds
           Raw packets sent: 5 (140B) | Rcvd: 1 (28B)

Last edited by theking2 (2015-12-09 14:55:12)

ewaller · 2015-12-09 15:13:25

theking2 wrote:

...The two servers can ping each other and are routed correctly:
...
10.10.10.8/30 dev enp1s0  proto kernel  scope link  src 10.10.10.8
...

I don't think that is correct. the *.*.*.8 requires 3 bits, does it not?

I think this means the routing prefix is 10.10.10.8 and the address on that subnet is *.*.*.0
With two bits (32-30) you have four addresses on the subnet. Eliminate the broadcast address and that leaves room for two machines on the network.
This may be what you want and I could be confused. I am still on my first cup of coffee this morning.

theking2 · 2015-12-09 20:02:14

From 10.10.10.8:

$ ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_seq=1 ttl=64 time=0.136 ms
64 bytes from 10.10.10.10: icmp_seq=2 ttl=64 time=0.193 ms
64 bytes from 10.10.10.10: icmp_seq=3 ttl=64 time=0.194 ms
64 bytes from 10.10.10.10: icmp_seq=4 ttl=64 time=0.179 ms
64 bytes from 10.10.10.10: icmp_seq=5 ttl=64 time=0.198 ms

from 10.10.10.10:

 # ping 10.10.10.8
PING 10.10.10.8 (10.10.10.8): 56 data bytes
64 bytes from 10.10.10.8: icmp_seq=0 ttl=64 time=0.2 ms
64 bytes from 10.10.10.8: icmp_seq=1 ttl=64 time=0.2 ms
64 bytes from 10.10.10.8: icmp_seq=2 ttl=64 time=0.1 ms
^C
--- 10.10.10.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.2 ms

theking2 · 2015-12-09 20:05:01

I'd like to restrict the network to just the two IPs but one of the servers insists on a gateway (which is technically not required on a two peer network)

fukawi2 · 2015-12-09 22:24:42

10.10.10.8/30 is not a valid address. You've set the broadcast address for the /30 to your adapter. The other end can't deal with that. Change it to 10.10.10.9 (or expand to a /29)

theking2 · 2015-12-11 19:02:01

fukawi2 wrote:

10.10.10.8/30 is not a valid address. You've set the broadcast address for the /30 to your adapter. The other end can't deal with that. Change it to 10.10.10.9 (or expand to a /29)

On this subnet I don't require a broadcast address (it is essentially a 4 host subnet. But you gave me a hint to check. on 10.10.10.10 I see

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP qlen 1000
    link/ether 00:08:9b:ea:79:76 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.10/30 brd 10.10.10.11 scope global eth1
       valid_lft forever preferred_lft foreve

on 10.10.10.8 I see

2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UP group default qlen 1000
    link/ether fc:aa:14:97:d8:42 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.8/30 brd 10.10.10.11 scope global enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::feaa:14ff:fe97:d842/64 scope link

In both case the brd is 10.10.10.11 so I believe I'm save here. Thanks for pointing this out though! I do teach network management but I'm not sure if a broadcast address is in fact a requirement. In fact I only need a 2 host subnet but the NAS server configuration interface doesn't allow me to create a /31 subne, for probably good reasons.

Oh, and btw i mentioned that both servers can ping each other so on the tranport - layer everything is in order. I suspect a problem higher up.

Basically my question would be: what do I need to change to sshd to listen to the other interface/ip as well.

Last edited by theking2 (2015-12-11 19:04:39)

fukawi2 · 2015-12-11 22:35:36

Sorry, typo on my behalf. You've set the network address, which still is not valid for the same reason you can't use a /31 -- you need the network and broadcast address, even for a 2 host subnet.

theking2 · 2015-12-12 13:30:53

fukawi2 wrote:

Sorry, typo on my behalf. You've set the network address, which still is not valid for the same reason you can't use a /31 -- you need the network and broadcast address, even for a 2 host subnet.

still, if it is pingable I don't believe there to be a problem. The network ID is just a convention. Nothing stops you from actually using the address. But for the sake of argument I've added the adress to the internface with

ip addr add 10.10.10.9 dev enp1s0

]$ sudo ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UP group default qlen 1000
    link/ether fc:aa:14:97:d8:42 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.8/30 brd 10.10.10.11 scope global enp1s0
       valid_lft forever preferred_lft forever
    inet 10.10.10.9/32 scope global enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::feaa:14ff:fe97:d842/64 scope link
       valid_lft forever preferred_lft forever
3: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UP group default qlen 1000
    link/ether fc:aa:14:97:d8:40 brd ff:ff:ff:ff:ff:ff
    inet 192.168.111.8/27 brd 192.168.111.31 scope global enp2s0
       valid_lft forever preferred_lft forever
    inet6 fe80::feaa:14ff:fe97:d840/64 scope link
       valid_lft forever preferred_lft forever

and on 10.10.10.10 I witness this:

[~] # ping 10.10.10.9
PING 10.10.10.9 (10.10.10.9): 56 data bytes
64 bytes from 10.10.10.9: icmp_seq=0 ttl=64 time=0.4 ms
64 bytes from 10.10.10.9: icmp_seq=1 ttl=64 time=0.3 ms
^C
--- 10.10.10.9 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.3/0.4 ms
[~] # ssh j@10.10.10.9
ssh: connect to host 10.10.10.9 port 22: Connection refused
[~] #

ping is working (OSI up to tcp) but ssh is not.

EDIT: having said that...

I've rconfigured both servers to
ip addr add 10.10.10.10/31 on one
and
ip addr add 10.10.10.11/31 on the other

After that, I was able to not only connect from 10.10.10.11 to 10.10.10.10 over ssh but also start a rsync session to sync the two! Yo!

The reason I'd like to use 10.10.10.8 and 10.10.10.10 is that they needly coalesce with 192.168.111.8 and 192.168.111.10 which are their prime adresses. As they are four bits apart I require a 4 host subnet. Putting them in a 2 host /31 subnet seem to have solved the problem. Although 10.10.10.10 (NAS) still insists it cannot connect to 10.10.10.11 (Arch) with ssh. but that probably is due to the fact that it requires a client certificate to logon.

Last edited by theking2 (2015-12-12 14:14:48)

theking2 · 2015-12-19 13:25:26

Ok , There were a number of things I hadn't thought of and some things I've learned.

1) If one experiments with the ip address of a ssh host, it is important to also update them in /etc/ssh/sshd_config. I had added

ListenAddress 10.10.10.8

here but changing the host ip address obviously needs to be reflected in sshd_config as well. I simple forgot about that. After I've added both listen addresses 10.10.10.8 and 10.10.10.9 to sshd_config I was able to experiment.
2) Indeed the first address in a subnet cannot be used, for some odd reason. I remember the original Windows TCP stack used it as an alternative broadcast address, very much against any rules that existed at the time. There is one exception: In a /31 subnet, mask 255.255.255.254 with consequently only two hosts, one can use the first and last address as it are the only addresses that are available. So I could configure 10.10.10.8/31 in one host and 10.10.10.9/31 in the other and connect the two.

As one host already hat public ip 192.168.111.10 and I wanted to coalesce the private address 10.10.10.10 and the second 192.168.111.8 coalescing with 10.10.10.8, I could not define a two host subnet which covers the two addresses.

Theoretically, and explicitly mentioned in RFC 950, it would be possible to use a mask of 255.255.255.253 which allow two and only two addeses 10.10.10.8 and 10.10.10.10. For some odd, non-compliant reason the IP command dismisses netmask 255.255.255.253 as garbage.

# ip addr add 10.10.10.10 netmask 255.255.255.253 dev eth1
Error: either "local" is duplicate, or "netmask" is a garbage.

Last edited by theking2 (2015-12-19 13:32:53)

Arch Linux

#1 2015-11-21 14:03:04

[SOLVED] Direct connection

#2 2015-11-21 14:43:19

Re: [SOLVED] Direct connection

#3 2015-11-22 09:00:11

Re: [SOLVED] Direct connection

#4 2015-11-22 13:56:43

Re: [SOLVED] Direct connection

#5 2015-11-24 01:28:55

Re: [SOLVED] Direct connection

#6 2015-11-24 02:50:33

Re: [SOLVED] Direct connection

#7 2015-12-08 22:04:33

Re: [SOLVED] Direct connection

#8 2015-12-08 23:07:30

Re: [SOLVED] Direct connection

#9 2015-12-09 14:09:58

Re: [SOLVED] Direct connection

#10 2015-12-09 14:48:49

Re: [SOLVED] Direct connection

#11 2015-12-09 14:53:34

Re: [SOLVED] Direct connection

#12 2015-12-09 15:13:25

Re: [SOLVED] Direct connection

#13 2015-12-09 20:02:14

Re: [SOLVED] Direct connection

#14 2015-12-09 20:05:01

Re: [SOLVED] Direct connection

#15 2015-12-09 22:24:42

Re: [SOLVED] Direct connection

#16 2015-12-11 19:02:01

Re: [SOLVED] Direct connection

#17 2015-12-11 22:35:36

Re: [SOLVED] Direct connection

#18 2015-12-12 13:30:53

Re: [SOLVED] Direct connection

#19 2015-12-19 13:25:26

Re: [SOLVED] Direct connection

Board footer