Re: Dropping SSH connections over the internet

On Fri, Jan 11, 2008 at 02:11:53PM -0700, Smoot Carl-Mitchell wrote:

Packet corruption will not cause this. The offending packet will be
dropped by the receiving TCP. (the packet data is checksummed). If you
have an intervening network device which also maintains connection state
which goes south, then the connection will drop. For example a NATing
router which loses its connection state will cause the end to end TCP
connection to drop. This is true for routers which do port NATing where
the incoming connection port gets mapped to another port on the outbound
side to preserve port uniqueness on the outbound side of the connection.
The router has to maintain a list of used ports as each connection gets
NATed to the outbound IP address. If it loses this port mapping, you
will lose the state of the end-to-end TCP connection.

This is probably the answer though I don't know about the port
mapping aspect. There is definitely a router doing NAT that takes me
through the company firewall.

Suppose you start an SSH connection from an internal IP to
external site The connection address will be:

<TCP,, 50000,, 22)

where 50000 is an arbitrary source port. In practice it may be different
depending on the algorithm used to select unused source ports.

When the packet hits the NATing router it will translate the connection
to, say:

<TCP<, 28000,, 22)

where is the address of the outbound interface on the router
and 2800 is the mapped port address. Inbound packets reverse this
translation. The router maintains a port map table which says inbound
packet addresses from,5000 get translated to,
28000 outbound.

If the router reboots, the port mapping is lost. When the client TCP
sends another packet to the router from, 50000, there is no
mapping table and the router will send back a connection reset to the
client. The same thing will happen when the server trys to send a packet
back to the client.

Thanks for the detailed explanation. Very informative!


ubuntu-users mailing list
Modify settings or unsubscribe at:

Relevant Pages

  • Re: Using Remote Desktop From an SBS Domain
    ... when you tried to RDP while attached directly to a port on your router? ... So if 3389 needs forwarded on the client end too then that is what the ... Hopefully next week I can attempt a connection while my ISP watches the ...
  • Re: Using Remote Desktop From an SBS Domain
    ... when you tried to RDP while attached directly to a port on your router? ... Internet to initiate an IP conversation with your computer. ... This situation is different than if you ran your own NAT connection sharing ...
  • Re: Setting up Home Network w/ 2 Routers
    ... successfully got my 2Wire, Netgear, and Linksys playing nicely. ... Connected the LAN port #1 of 2Wire to the WAN port of the Netgear. ... connection type and all for me. ... If you add another router to the mix, just make sure to disable the ...
  • How did they get behind my NAT?
    ... this point I panicked and shutdown the VNC service ASAP. ... My question is how the attacker got to my VNC port! ... the internet through the router. ... client connection using local port number 5900 (which was also being ...
  • Re: Can not access Web and FTP sites from Internet
    ... your IP Configuration on the Server is correctly. ... Connecting To not open connection to the host, ... 1> From the result, we can see the telnet failed, which means the router ... does not forward Port 443 to SBS Server. ...