I tried to activate some logs:
iptables -A forwarding_rule -p tcp --dport 22 -j LOG
Then I made a connection from the client (172.17.190.101) to the server (10.55.115.49) and vice versa.
this is the log but I don’t understand much, I don’t see accept, reject, drop.
[ 8066.928174] IN=br-lan OUT=tun0 MAC=94:83:c4:1a:4f:77:08:00:27:77:48:0c:08:00 SRC=172.17.190.101 DST=10.55.115.49 LEN=60 TOS=0x08 PREC=0x40 TTL=63 ID=6231 DF PROTO=TCP SPT=37890 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x3f00
[ 8066.968624] IN=br-lan OUT=tun0 MAC=94:83:c4:1a:4f:77:08:00:27:77:48:0c:08:00 SRC=172.17.190.101 DST=10.55.115.49 LEN=52 TOS=0x08 PREC=0x40 TTL=63 ID=6232 DF PROTO=TCP SPT=37890 DPT=22 WINDOW=502 RES=0x00 ACK URGP=0 MARK=0x3f00
[ 8066.989739] IN=br-lan OUT=tun0 MAC=94:83:c4:1a:4f:77:08:00:27:77:48:0c:08:00 SRC=172.17.190.101 DST=10.55.115.49 LEN=73 TOS=0x08 PREC=0x40 TTL=63 ID=6233 DF PROTO=TCP SPT=37890 DPT=22 WINDOW=502 RES=0x00 ACK PSH URGP=0 MARK=0x3f00
[ 8067.054855] IN=br-lan OUT=tun0 MAC=94:83:c4:1a:4f:77:08:00:27:77:48:0c:08:00 SRC=172.17.190.101 DST=10.55.115.49 LEN=52 TOS=0x08 PREC=0x40 TTL=63 ID=6234 DF PROTO=TCP SPT=37890 DPT=22 WINDOW=502 RES=0x00 ACK URGP=0 MARK=0x3f00
[ 8067.076385] IN=br-lan OUT=tun0 MAC=94:83:c4:1a:4f:77:08:00:27:77:48:0c:08:00 SRC=172.17.190.101 DST=10.55.115.49 LEN=1405 TOS=0x08 PREC=0x40 TTL=63 ID=6235 DF PROTO=TCP SPT=37890 DPT=22 WINDOW=502 RES=0x00 ACK URGP=0 MARK=0x3f00
[ 8067.097626] IN=br-lan OUT=tun0 MAC=94:83:c4:1a:4f:77:08:00:27:77:48:0c:08:00 SRC=172.17.190.101 DST=10.55.115.49 LEN=251 TOS=0x08 PREC=0x40 TTL=63 ID=6236 DF PROTO=TCP SPT=37890 DPT=22 WINDOW=502 RES=0x00 ACK PSH URGP=0 MARK=0x3f00
[ 8073.923156] IN=tun0 OUT=br-lan MAC= SRC=10.55.115.49 DST=172.17.190.101 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=29731 DF PROTO=TCP SPT=53540 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x3f00
[ 8073.959693] IN=tun0 OUT=br-lan MAC= SRC=10.55.115.49 DST=172.17.190.101 LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=29732 DF PROTO=TCP SPT=53540 DPT=22 WINDOW=229 RES=0x00 ACK URGP=0 MARK=0x3f00
[ 8073.977555] IN=tun0 OUT=br-lan MAC= SRC=10.55.115.49 DST=172.17.190.101 LEN=73 TOS=0x00 PREC=0x00 TTL=61 ID=29733 DF PROTO=TCP SPT=53540 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0 MARK=0x3f00
[ 8074.014539] IN=tun0 OUT=br-lan MAC= SRC=10.55.115.49 DST=172.17.190.101 LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=29734 DF PROTO=TCP SPT=53540 DPT=22 WINDOW=229 RES=0x00 ACK URGP=0 MARK=0x3f00
[ 8074.091636] IN=tun0 OUT=br-lan MAC= SRC=10.55.115.49 DST=172.17.190.101 LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=29737 DF PROTO=TCP SPT=53540 DPT=22 WINDOW=245 RES=0x00 ACK URGP=0 MARK=0x3f00
[ 8074.129376] IN=tun0 OUT=br-lan MAC= SRC=10.55.115.49 DST=172.17.190.101 LEN=100 TOS=0x00 PREC=0x00 TTL=61 ID=29738 DF PROTO=TCP SPT=53540 DPT=22 WINDOW=245 RES=0x00 ACK PSH URGP=0 MARK=0x3f00
ssh log from server:
ssh -vvv root@172.17.190.101
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug2: resolving "172.17.190.101" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 172.17.190.101 [172.17.190.101] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.6
debug1: match: OpenSSH_8.6 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 172.17.190.101:22 as 'root'
debug3: hostkeys_foreach: reading file ".ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file .ssh/known_hosts:113
debug3: load_hostkeys: loaded 1 keys from 172.17.190.101
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc,3des-cbc
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc,3des-cbc
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by 172.17.190.101 port 22
ssh log from client:
ssh -vvv 10.55.115.49
OpenSSH_8.6p1, OpenSSL 1.1.1l FIPS 24 Aug 2021
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host 10.55.115.49 originally 10.55.115.49
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug1: configuration requests final Match pass
debug2: resolve_canonicalize: hostname 10.55.115.49 is address
debug1: re-parsing configuration
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host 10.55.115.49 originally 10.55.115.49
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 10.55.115.49 [10.55.115.49] port 22.
debug3: set_sock_tos: set socket 5 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: compat_banner: match: OpenSSH_7.4 pat OpenSSH_7.4* compat 0x04000006
debug2: fd 5 setting O_NONBLOCK
debug1: Authenticating to 10.55.115.49:22 as 'root'
debug1: load_hostkeys: fopen /root/.ssh/known_hosts: No such file or directory
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: no algorithms matched; accept original
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent