Results 1 to 8 of 8
  1.    #1  
    I've been trying to ssh OUT to a remote network via the novacom interface, but I keep getting an error.
    Code:
    ssh: connect to host <hostname> port 22: No route to host
    I ruled out dns issues with ping and traceroute.

    Then I moved on to iptables, but a quick look at the chain shows nothing unusual.
    Code:
    palm-webos-device ~ # /usr/sbin/iptables -S
    -P INPUT DROP
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -N ALLOWED_PACKETS
    -N ICMPFLOOD
    -N INVALID_PACKETS
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
    -A INPUT -i lo -j ALLOWED_PACKETS 
    -A INPUT -s 127.0.0.0/8 -i ! lo -j INVALID_PACKETS 
    -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset 
    -A INPUT -i bridge0 -p tcp -m tcp --dport 4444:4445 -j DROP 
    -A INPUT -m state --state RELATED,ESTABLISHED -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m icmp --icmp-type 0 -m state --state NEW -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m limit --limit 1/sec -m icmp --icmp-type 0 -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m limit --limit 1/sec -m icmp --icmp-type 3 -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m icmp --icmp-type 4 -m state --state NEW -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m limit --limit 1/sec -m icmp --icmp-type 4 -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m icmp --icmp-type 5 -m state --state NEW -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m limit --limit 1/sec -m icmp --icmp-type 5 -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ICMPFLOOD 
    -A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m limit --limit 1/sec -m icmp --icmp-type 11 -j ALLOWED_PACKETS 
    -A INPUT -p tcp -m tcp --dport 5353 -j ALLOWED_PACKETS 
    -A INPUT -p udp -m udp --dport 5353 -j ALLOWED_PACKETS 
    -A INPUT -p tcp -m tcp --dport 3689 -j ALLOWED_PACKETS 
    -A INPUT -p udp -m udp --dport 3689 -j ALLOWED_PACKETS 
    -A INPUT -p tcp -m tcp --tcp-flags RST RST -j ALLOWED_PACKETS 
    -A INPUT -m limit --limit 3/sec -j LOG --log-prefix "IPT_PACKET_DROPPED_NO_MATCH: " --log-level 7 
    -A INPUT -j QUEUE 
    -A FORWARD -m state --state INVALID -j INVALID_PACKETS 
    -A ALLOWED_PACKETS -j ACCEPT 
    -A ICMPFLOOD -m recent --set --name ICMP --rsource 
    -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --rttl --name ICMP --rsource -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "IPT_ICMPFLOOD: " 
    -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --rttl --name ICMP --rsource -j DROP 
    -A ICMPFLOOD -j ALLOWED_PACKETS 
    -A INVALID_PACKETS -m limit --limit 1/sec --limit-burst 100 -j LOG --log-prefix "IPT_INVALID_PACKETS_DROPPED: " 
    -A INVALID_PACKETS -j DROP
    Does Sprint block traffic on port 22?
  2. #2  
    Quote Originally Posted by lamawithonel View Post
    I've been trying to ssh OUT to a remote network via the novacom interface, but I keep getting an error.
    Code:
    ssh: connect to host <hostname> port 22: No route to host
    I ruled out dns issues with ping and traceroute.

    Then I moved on to iptables, but a quick look at the chain shows nothing unusual.
    Code:
    palm-webos-device ~ # /usr/sbin/iptables -S
    -P INPUT DROP
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -N ALLOWED_PACKETS
    -N ICMPFLOOD
    -N INVALID_PACKETS
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
    -A INPUT -i lo -j ALLOWED_PACKETS 
    -A INPUT -s 127.0.0.0/8 -i ! lo -j INVALID_PACKETS 
    -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset 
    -A INPUT -i bridge0 -p tcp -m tcp --dport 4444:4445 -j DROP 
    -A INPUT -m state --state RELATED,ESTABLISHED -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m icmp --icmp-type 0 -m state --state NEW -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m limit --limit 1/sec -m icmp --icmp-type 0 -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m limit --limit 1/sec -m icmp --icmp-type 3 -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m icmp --icmp-type 4 -m state --state NEW -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m limit --limit 1/sec -m icmp --icmp-type 4 -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m icmp --icmp-type 5 -m state --state NEW -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m limit --limit 1/sec -m icmp --icmp-type 5 -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ICMPFLOOD 
    -A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW -j ALLOWED_PACKETS 
    -A INPUT -p icmp -m limit --limit 1/sec -m icmp --icmp-type 11 -j ALLOWED_PACKETS 
    -A INPUT -p tcp -m tcp --dport 5353 -j ALLOWED_PACKETS 
    -A INPUT -p udp -m udp --dport 5353 -j ALLOWED_PACKETS 
    -A INPUT -p tcp -m tcp --dport 3689 -j ALLOWED_PACKETS 
    -A INPUT -p udp -m udp --dport 3689 -j ALLOWED_PACKETS 
    -A INPUT -p tcp -m tcp --tcp-flags RST RST -j ALLOWED_PACKETS 
    -A INPUT -m limit --limit 3/sec -j LOG --log-prefix "IPT_PACKET_DROPPED_NO_MATCH: " --log-level 7 
    -A INPUT -j QUEUE 
    -A FORWARD -m state --state INVALID -j INVALID_PACKETS 
    -A ALLOWED_PACKETS -j ACCEPT 
    -A ICMPFLOOD -m recent --set --name ICMP --rsource 
    -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --rttl --name ICMP --rsource -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "IPT_ICMPFLOOD: " 
    -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --rttl --name ICMP --rsource -j DROP 
    -A ICMPFLOOD -j ALLOWED_PACKETS 
    -A INVALID_PACKETS -m limit --limit 1/sec --limit-burst 100 -j LOG --log-prefix "IPT_INVALID_PACKETS_DROPPED: " 
    -A INVALID_PACKETS -j DROP
    Does Sprint block traffic on port 22?
    It could be, mine has always connected fine (Telcel, GSM).
    Have you tried over WiFi?
  3.    #3  
    I have tried that. I can ssh to anything in the local network. I haven't tried anything outside since my wifi network is behind the ssh gateway I want to access via EvDO.
  4. #4  
    "no route to host" denotes a routing issue, as you might guess. There's no firewall involved. You'd get a different error with a firewall.

    If you're on WIFI you should see three default routes:
    Code:
    palm-webos-device / # netstat -rn
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    10.64.64.64     0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
    192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0 usb0
    192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 usb0
    10.1.1.0        0.0.0.0         255.255.255.0   U         0 0          0 eth0
    0.0.0.0         10.1.1.1        0.0.0.0         UG        0 0          0 eth0
    0.0.0.0         10.64.64.64     0.0.0.0         UG        0 0          0 ppp0
    0.0.0.0         192.168.0.200   0.0.0.0         UG        0 0          0 usb0
    That's for WiFi (eth0), USB (usb0) and radio (ppp0). The WiFi IPs are likely to be different for you. Three default routes are perfectly legal and should work.

    You can reach directly connected networks (e.g. your local network) without
    problems. When it comes to remote networks there CAN be issues, but normally you should be fine.

    You even should reach remote hosts via WiFi (eth0):
    Code:
    palm-webos-device / # ping -I eth0 www.precentral.net
    PING www.precentral.net (166.70.171.119): 56 data bytes
    64 bytes from 166.70.171.119: seq=0 ttl=47 time=171.936 ms
    64 bytes from 166.70.171.119: seq=1 ttl=47 time=194.001 ms
    AND radio (ppp0);
    Code:
    palm-webos-device / # ping -I ppp0 www.precentral.net
    PING www.precentral.net (166.70.171.119): 56 data bytes
    64 bytes from 166.70.171.119: seq=1 ttl=51 time=759.948 ms
    64 bytes from 166.70.171.119: seq=0 ttl=51 time=1761.627 ms
    Radio (3G in my case) is obviously much slower...

    So first of all check your routing.
    Last edited by WalterH; 05/07/2010 at 03:42 AM.
  5. #5  
    Quote Originally Posted by lamawithonel View Post
    I have tried that. I can ssh to anything in the local network. I haven't tried anything outside since my wifi network is behind the ssh gateway I want to access via EvDO.
    You can alwas remove the default route via eth0. Then your Pre has no choice but use radio for remote networks.
    Code:
    palm-webos-device / # route del default gw 10.1.1.1
    Change the IP according to your setup. Check my post above "netstat -rn".
  6.    #6  
    Yup, tried that too. Like I said, ping and traceroute to the same address works. I've seen this kind of error on other computers behind institutional firewalls. In fact, the computer I'm using to novaterm into my phone is one of them.

    I think I might have to setup an HTTP proxy on my gateway/firewall server, then corkscrew where needed.
  7. #7  
    Quote Originally Posted by lamawithonel View Post
    Yup, tried that too. Like I said, ping and traceroute to the same address works. I've seen this kind of error on other computers behind institutional firewalls. In fact, the computer I'm using to novaterm into my phone is one of them.

    I think I might have to setup an HTTP proxy on my gateway/firewall server, then corkscrew where needed.
    Ah, sorry, didn't read that. A working PING but non-working SSH can have lots of different reasons. Firewalls can be one of them.

    Maybe the computer you like to reach is behind a NAT gateway and simply turned off. The pings are from the gateway in that case... could be - and that's just one possible reason.

    You could check the packets at IP level with tcpdump/wireshark. tcpdump is available via ipkg-opt (optware feed).
  8. #8  
    I have the same problem - the (probably wrong) way I solve it is switch to developer mode prior to making the outbound request. Dunno why it's necessary - but that fixes it for me.

Posting Permissions