SSH connection problem (timeout) from outside to ppp0 interface (4G modem) on Raspberry Pi

I am having difficulty establishing SSH connection from outside to Raspberry Pi that has USB 4G modem as interface. I get timeout when trying to connect with ssh: ssh -l pi ccc.ccc.ccc.ccc -p 22 ssh_exchange_identification: read: Operation timed out Interface is obviously ppp0 and has correct IP address that can be pinged from outside. This is the ifconfig listing (ip address obfuscated) ppp0: flags=4305 mtu 1500 inet ccc.ccc.ccc.ccc netmask 255.255.255.255 destination 10.64.64.64 ppp txqueuelen 3 (Point-to-Point Protocol) RX packets 401 bytes 377702 (368.8 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 336 bytes 27694 (27.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ping from an other machine works OK, ssh does not and gets timeout. Monitoring the interface with tcpdumps shows some life when connected with ssh client sudo tcpdump -i ppp0 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 09:18:26.764806 IP yyy.yyy.yyy.yyy.53681 > ccc.ccc.ccc.ccc.ssh: Flags [S], seq 2675400197, win 65535, options [mss 1386,nop,wscale 5,nop,nop,TS val 672664602 ecr 0,sackOK,eol], length 0 after that there is no life, no logs in /var/log/auth or messages, nothing. sshd log level is set to DEBUG3 This is the SSHD conf file: Port 22 Port 7654 AddressFamily any ListenAddress 0.0.0.0 #ListenAddress :: # Ciphers and keying #RekeyLimit default none # Logging SyslogFacility AUTH LogLevel DEBUG3 I tried to add some obscure port 7654 in case 22 was blocked by ISP or something I tried to add specific firewall rules even though general policy is set to ACCEPT: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:7654 ctstate NEW,ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ssh ctstate ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:7654 ctstate ESTABLISHED route table looks like this: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.64.64.64 0.0.0.0 UG 0 0 0 ppp0 10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 bbb.bbb.bbb.0 0.0.0.0 255.255.252.0 U 202 0 0 eth0 where that bbb thing is local ethernet network No luck, and I still get timeout when trying to connect. SSH from localhost to that IP address works ok. Any ideas where this is going wrong and how to fix it? It puzzles me that I get at least ICMP messages to the interface and internally SSH also works. Even externally there is some life in that interface when connecting from outside with ssh, but it still doesn't work.