External port access, ssh or cockpit

deadgnom32 · May 22, 2020, 12:33am

Hi,
I recently installed Fedora Server.
and when I try to access cockpit or connect over ssh using local network, everything works just fine.
but when I try to access the server over external IP. connection is refused.

when I check the port with nmap I get

$ sudo nmap -p9090 visor1933-server
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 02:04 CEST
Nmap scan report for visor1933-server (192.168.178.22)
Host is up (0.0027s latency).

PORT     STATE SERVICE
9090/tcp open  zeus-admin

and

$ sudo nmap -p9090 95.90.245.99
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 02:04 CEST
Nmap scan report for ip5f5af563.dynamic.kabel-deutschland.de (95.90.245.99)
Host is up (0.024s latency).

PORT     STATE    SERVICE
9090/tcp filtered zeus-admin

tryed to play around with firewall, but no success and coulndt find information on how to solve the issue by googleing.

i want cockpit and ssh to be accessible over external ip. please help.

also, if it helps, outputs of following commands are as follows

[root@visor1933-server ~]# ss -lt
State                 Recv-Q                Send-Q                                Local Address:Port                                  Peer Address:Port                Process                
LISTEN                0                     128                                         0.0.0.0:ssh                                        0.0.0.0:*                                          
LISTEN                0                     4096                                              *:websm                                            *:*                                          
LISTEN                0                     128                                            [::]:ssh                                           [::]:*                                          
[root@visor1933-server ~]# netstat -tpln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1185/sshd           
tcp6       0      0 :::9090                 :::*                    LISTEN      1/systemd           
tcp6       0      0 :::22                   :::*                    LISTEN      1185/sshd           
[root@visor1933-server ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 1844 packets, 158K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1306 packets, 255K bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@visor1933-server ~]# firewall-cmd --list-all
home (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0
  sources: 
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

golanv · May 22, 2020, 9:28pm

A default Fedora installation shouldn’t block traffic from outside of your home network. I don’t believe there is any real difference out of the box from the “home” zone and the “public” zone (meaning, that the “home” zone isn’t automatically more secure nor does it block any networks that public does not). You can create that behavior by adding subnets (sources) to various zones and open ports accordingly, which will then allow or block ports based on subnet. Is it safe to assume that “home” is your only active zone? If so, then it looks like those ports are open to all subnets.

That being said, i don’t really see anything that seems to point to the problem being with your Fedora system. I would look more closely at the port forwarding rules on your router. What type of router do you have? While this isn’t really the forum for support for whatever router you have, including some more information about your router and how you setup port forwarding might help narrow down the problem.

vgaetera · October 8, 2020, 4:38pm

sudo dnf install tcpdump
sudo tcpdump -n -i any tcp port 9090

Then try to connect from outside while monitoring the output.

computersavvy · October 10, 2020, 4:01am

I disagree. The home network (zone) is automatically more open than the public zone. Communications from the local LAN are more trusted than from the WAN so there are a lot more ports open there. Simply look at the filtering rules to see that.
IIRC you have to explicitly allow access from any location outside the LAN. Outgoing connections – no problem. Incoming connections – most if not all are blocked by default.

Thus the request for a tcpdump by @vgaetera

Topic		Replies	Views
Cockpit lockdown Ask Fedora networking , server	5	3201	May 20, 2019
F35 Server network setup Ask Fedora server	2	983	November 18, 2021
Firewalld: forward local traffic to remote host Ask Fedora f38 , kde , desktop , server	6	2649	August 26, 2023
Firewalld: cannot block traffic on a given port Ask Fedora f32	0	859	May 22, 2020
Roadwarrior VPN via KDE Network Connections not able to browse remote LAN? Ask Fedora openvpn , vpn , f41	11	75	February 7, 2025

External port access, ssh or cockpit

Related topics