Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Router blocking me on my own network? [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Off the Wall
View previous topic :: View next topic  
Author Message
arnvidr
Guru
Guru


Joined: 19 Aug 2004
Posts: 454
Location: Oslo, Norway

PostPosted: Tue Jan 15, 2013 8:59 pm    Post subject: Router blocking me on my own network? [SOLVED] Reply with quote

Was wondering if any of you fine people had much experience with routers (specifically a d-link one) and the way they handle incoming connections. The thing is, I have an external dns that I use to connect to my gentoo machine over ssh. Now, from wherever out in the big wide world, this works perfectly. When I'm connected to the wifi my router provides, these connections are denied. I tried some other stuff, and distinctly remember connecting to 'localhost' seemed to do the trick. No such luck with the ssh. Now, my sshd is set up to use a non-standard port, and so I'm thinking this is somehow blocked. But even with the gentoo box in the DMZ it does not work. Shouldn't that at least have done the trick? That led me to believe something else is playing up here. Any idea of something I could check?
_________________
Noone wrote:
anything


Last edited by arnvidr on Thu Feb 07, 2013 10:30 am; edited 1 time in total
Back to top
View user's profile Send private message
BonezTheGoon
Bodhisattva
Bodhisattva


Joined: 14 Jun 2002
Posts: 1375
Location: Albuquerque, NM -- birthplace of Microsoft and Gentoo

PostPosted: Tue Jan 15, 2013 10:47 pm    Post subject: Reply with quote

Are you using tcp_wrappers? (check /etc/hosts.deny and /etc/hosts.allow) - also check your sshd.conf because there are many configurable controls there that could be interfering. If you are running any other software firewalls, like iptables, you should double-check those rules as well.

If your DMZ was actually properly configured and is truly a standard implementation of DMZ I agree it is unlikely your D-Link is the cause.

I did find some curiosities in your telling of what is going on though, you might want to get more detailed about what you are trying to do.
_________________
mcgruff wrote:
I can't promise to be civil.


pjp wrote:
The greater evil is voting for the "lesser evil."
Back to top
View user's profile Send private message
tarpman
Veteran
Veteran


Joined: 04 Nov 2004
Posts: 1083
Location: Victoria, BC, Canada

PostPosted: Wed Jan 16, 2013 12:25 am    Post subject: Reply with quote

First, whether this even can work depends a little on your router's innards -- the ability to loop back through a WAN address from inside the LAN is a peculiarity of Linux, and doesn't work at all on BSD-based routers (e.g. pfSense) without some special magic like a socat pipe.

Second, I've seen some consumer routers that would otherwise support it, ship with a firewall blocking it by default. You should poke around in the firewall settings, or even just disable the firewall completely. (IMO being behind NAT is enough protection for anyone who has an idea of what they're doing.)

You didn't say whether you had tested a wired connection or not, but if my theory above is correct then the results should be the same on wired and wireless. Again, some routers ship with additional restrictions on what you can do over wireless (e.g. no access to the admin interface).

You shouldn't have to put your server in a DMZ -- all else being equal the port forward is usually sufficient.

[side note to BonezTheGoon: I don't think I've ever seen a proper DMZ in a consumer router... usually they use it to mean "forward every port not otherwise allocated to this IP".]

EDIT: disclaimer, while I've touched the odd D-Link router, most of my experience is with Linksys... YMMV
_________________
Saving the world, one kilobyte at a time.
Back to top
View user's profile Send private message
arnvidr
Guru
Guru


Joined: 19 Aug 2004
Posts: 454
Location: Oslo, Norway

PostPosted: Fri Jan 18, 2013 4:48 pm    Post subject: Reply with quote

Nothing in hosts.deny/allow that I could see. I have PermitTunnel set to no in sshd_config, but I couldn't quite wrap my head around if this could have any effect.

Note that the D-Link provides the DMZ, so I can't vouch for how it is set up.

I'll poke around the settings to see if I can find anything related to what you mention, tarpman, about looping back through a WAN address.

BonezTheGoon: Not sure what more details I can provide. I want to ssh to a machine. It works from everywhere except my local network. I haven't tried it through a physical connection, and I could possibly dig up a cable to try, but I don't see what difference it could make unless I've really messed up my router settings. I'll poke around in the settings when I get home.

Sorry for the late reply.
_________________
Noone wrote:
anything
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1566
Location: U.S.A.

PostPosted: Fri Jan 18, 2013 9:48 pm    Post subject: Reply with quote

Just ignore these guys; they don't know what they're talking about. :P

Routers will block such connections due to something called reverse path filtering. It's designed to protect you from address spoofing (e.g. packets arriving from the Internet and claiming to have come from inside your network), and it's generally enabled by default.
http://en.wikipedia.org/wiki/Reverse_path_forwarding

If a packet arrives on an interface, and a hypothetical reply to the packet would not go out the same interface, then it fails the test and is rejected.

What you really ought to do is establish name resolution internal to your network. If you don't want to create your own DNS server, you could just create /etc/hosts entries for the machines you want to be able to address by name. Windows machines have something similar called LMHOSTS.
_________________
pjp wrote:
I didn't misquote you, I just misunderstood you.
Back to top
View user's profile Send private message
arnvidr
Guru
Guru


Joined: 19 Aug 2004
Posts: 454
Location: Oslo, Norway

PostPosted: Sun Jan 20, 2013 10:57 am    Post subject: Reply with quote

Well, that was easy. Thanks BK!
_________________
Noone wrote:
anything
Back to top
View user's profile Send private message
tarpman
Veteran
Veteran


Joined: 04 Nov 2004
Posts: 1083
Location: Victoria, BC, Canada

PostPosted: Mon Jan 21, 2013 9:11 pm    Post subject: Reply with quote

That's what I get for answering the question as it was asked instead of analyzing the use case... I should know better!

Thanks for the wikipedia link BK. RPF is exactly what I was talking about but I didn't know it had a name.
_________________
Saving the world, one kilobyte at a time.
Back to top
View user's profile Send private message
arnvidr
Guru
Guru


Joined: 19 Aug 2004
Posts: 454
Location: Oslo, Norway

PostPosted: Thu Feb 07, 2013 10:30 am    Post subject: Reply with quote

And everyone (me and tarpman) learnt something :D
_________________
Noone wrote:
anything
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1566
Location: U.S.A.

PostPosted: Thu Feb 07, 2013 8:00 pm    Post subject: Reply with quote

:lol:

You can learn more at /usr/src/linux/Documentation/networking/ip-sysctl.txt (or something like that).
_________________
pjp wrote:
I didn't misquote you, I just misunderstood you.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Off the Wall All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum