Router blocking me on my own network? [SOLVED]

[arnvidr]

Was wondering if any of you fine people had much experience with routers (specifically a d-link one) and the way they handle incoming connections. The thing is, I have an external dns that I use to connect to my gentoo machine over ssh. Now, from wherever out in the big wide world, this works perfectly. When I'm connected to the wifi my router provides, these connections are denied. I tried some other stuff, and distinctly remember connecting to 'localhost' seemed to do the trick. No such luck with the ssh. Now, my sshd is set up to use a non-standard port, and so I'm thinking this is somehow blocked. But even with the gentoo box in the DMZ it does not work. Shouldn't that at least have done the trick? That led me to believe something else is playing up here. Any idea of something I could check?
_________________

[BonezTheGoon]

Are you using tcp_wrappers? (check /etc/hosts.deny and /etc/hosts.allow) - also check your sshd.conf because there are many configurable controls there that could be interfering. If you are running any other software firewalls, like iptables, you should double-check those rules as well.

If your DMZ was actually properly configured and is truly a standard implementation of DMZ I agree it is unlikely your D-Link is the cause.

I did find some curiosities in your telling of what is going on though, you might want to get more detailed about what you are trying to do.
_________________

[tarpman]

First, whether this even can work depends a little on your router's innards -- the ability to loop back through a WAN address from inside the LAN is a peculiarity of Linux, and doesn't work at all on BSD-based routers (e.g. pfSense) without some special magic like a socat pipe.

Second, I've seen some consumer routers that would otherwise support it, ship with a firewall blocking it by default. You should poke around in the firewall settings, or even just disable the firewall completely. (IMO being behind NAT is enough protection for anyone who has an idea of what they're doing.)

You didn't say whether you had tested a wired connection or not, but if my theory above is correct then the results should be the same on wired and wireless. Again, some routers ship with additional restrictions on what you can do over wireless (e.g. no access to the admin interface).

You shouldn't have to put your server in a DMZ -- all else being equal the port forward is usually sufficient.

[side note to BonezTheGoon: I don't think I've ever seen a proper DMZ in a consumer router... usually they use it to mean "forward every port not otherwise allocated to this IP".]

EDIT: disclaimer, while I've touched the odd D-Link router, most of my experience is with Linksys... YMMV
_________________
Saving the world, one kilobyte at a time.

[arnvidr]

Nothing in hosts.deny/allow that I could see. I have PermitTunnel set to no in sshd_config, but I couldn't quite wrap my head around if this could have any effect.

Note that the D-Link provides the DMZ, so I can't vouch for how it is set up.

I'll poke around the settings to see if I can find anything related to what you mention, tarpman, about looping back through a WAN address.

BonezTheGoon: Not sure what more details I can provide. I want to ssh to a machine. It works from everywhere except my local network. I haven't tried it through a physical connection, and I could possibly dig up a cable to try, but I don't see what difference it could make unless I've really messed up my router settings. I'll poke around in the settings when I get home.

Sorry for the late reply.
_________________

[Bones McCracker]

Just ignore these guys; they don't know what they're talking about.

Routers will block such connections due to something called reverse path filtering. It's designed to protect you from address spoofing (e.g. packets arriving from the Internet and claiming to have come from inside your network), and it's generally enabled by default.
http://en.wikipedia.org/wiki/Reverse_path_forwarding

If a packet arrives on an interface, and a hypothetical reply to the packet would not go out the same interface, then it fails the test and is rejected.

What you really ought to do is establish name resolution internal to your network. If you don't want to create your own DNS server, you could just create /etc/hosts entries for the machines you want to be able to address by name. Windows machines have something similar called LMHOSTS.
_________________

[arnvidr]

Well, that was easy. Thanks BK!
_________________

[tarpman]

That's what I get for answering the question as it was asked instead of analyzing the use case... I should know better!

Thanks for the wikipedia link BK. RPF is exactly what I was talking about but I didn't know it had a name.
_________________
Saving the world, one kilobyte at a time.

[arnvidr]

And everyone (me and tarpman) learnt something
_________________

[Bones McCracker]

You can learn more at /usr/src/linux/Documentation/networking/ip-sysctl.txt (or something like that).
_________________