View previous topic :: View next topic |
Author |
Message |
arnvidr Guru


Joined: 19 Aug 2004 Posts: 565 Location: Oslo, Norway
|
Posted: Tue Jan 15, 2013 8:59 pm Post subject: Router blocking me on my own network? [SOLVED] |
|
|
Was wondering if any of you fine people had much experience with routers (specifically a d-link one) and the way they handle incoming connections. The thing is, I have an external dns that I use to connect to my gentoo machine over ssh. Now, from wherever out in the big wide world, this works perfectly. When I'm connected to the wifi my router provides, these connections are denied. I tried some other stuff, and distinctly remember connecting to 'localhost' seemed to do the trick. No such luck with the ssh. Now, my sshd is set up to use a non-standard port, and so I'm thinking this is somehow blocked. But even with the gentoo box in the DMZ it does not work. Shouldn't that at least have done the trick? That led me to believe something else is playing up here. Any idea of something I could check? _________________
Last edited by arnvidr on Thu Feb 07, 2013 10:30 am; edited 1 time in total |
|
Back to top |
|
 |
BonezTheGoon Bodhisattva


Joined: 14 Jun 2002 Posts: 1376 Location: Albuquerque, NM -- birthplace of Microsoft and Gentoo
|
Posted: Tue Jan 15, 2013 10:47 pm Post subject: |
|
|
Are you using tcp_wrappers? (check /etc/hosts.deny and /etc/hosts.allow) - also check your sshd.conf because there are many configurable controls there that could be interfering. If you are running any other software firewalls, like iptables, you should double-check those rules as well.
If your DMZ was actually properly configured and is truly a standard implementation of DMZ I agree it is unlikely your D-Link is the cause.
I did find some curiosities in your telling of what is going on though, you might want to get more detailed about what you are trying to do. _________________
pjp wrote: | The greater evil is voting for the "lesser evil." |
|
|
Back to top |
|
 |
tarpman Veteran


Joined: 04 Nov 2004 Posts: 1083 Location: Victoria, BC, Canada
|
Posted: Wed Jan 16, 2013 12:25 am Post subject: |
|
|
First, whether this even can work depends a little on your router's innards -- the ability to loop back through a WAN address from inside the LAN is a peculiarity of Linux, and doesn't work at all on BSD-based routers (e.g. pfSense) without some special magic like a socat pipe.
Second, I've seen some consumer routers that would otherwise support it, ship with a firewall blocking it by default. You should poke around in the firewall settings, or even just disable the firewall completely. (IMO being behind NAT is enough protection for anyone who has an idea of what they're doing.)
You didn't say whether you had tested a wired connection or not, but if my theory above is correct then the results should be the same on wired and wireless. Again, some routers ship with additional restrictions on what you can do over wireless (e.g. no access to the admin interface).
You shouldn't have to put your server in a DMZ -- all else being equal the port forward is usually sufficient.
[side note to BonezTheGoon: I don't think I've ever seen a proper DMZ in a consumer router... usually they use it to mean "forward every port not otherwise allocated to this IP".]
EDIT: disclaimer, while I've touched the odd D-Link router, most of my experience is with Linksys... YMMV _________________ Saving the world, one kilobyte at a time. |
|
Back to top |
|
 |
arnvidr Guru


Joined: 19 Aug 2004 Posts: 565 Location: Oslo, Norway
|
Posted: Fri Jan 18, 2013 4:48 pm Post subject: |
|
|
Nothing in hosts.deny/allow that I could see. I have PermitTunnel set to no in sshd_config, but I couldn't quite wrap my head around if this could have any effect.
Note that the D-Link provides the DMZ, so I can't vouch for how it is set up.
I'll poke around the settings to see if I can find anything related to what you mention, tarpman, about looping back through a WAN address.
BonezTheGoon: Not sure what more details I can provide. I want to ssh to a machine. It works from everywhere except my local network. I haven't tried it through a physical connection, and I could possibly dig up a cable to try, but I don't see what difference it could make unless I've really messed up my router settings. I'll poke around in the settings when I get home.
Sorry for the late reply. _________________
|
|
Back to top |
|
 |
Bones McCracker Veteran


Joined: 14 Mar 2006 Posts: 1605 Location: U.S.A.
|
Posted: Fri Jan 18, 2013 9:48 pm Post subject: |
|
|
Just ignore these guys; they don't know what they're talking about.
Routers will block such connections due to something called reverse path filtering. It's designed to protect you from address spoofing (e.g. packets arriving from the Internet and claiming to have come from inside your network), and it's generally enabled by default.
http://en.wikipedia.org/wiki/Reverse_path_forwarding
If a packet arrives on an interface, and a hypothetical reply to the packet would not go out the same interface, then it fails the test and is rejected.
What you really ought to do is establish name resolution internal to your network. If you don't want to create your own DNS server, you could just create /etc/hosts entries for the machines you want to be able to address by name. Windows machines have something similar called LMHOSTS. _________________
patrix_neo wrote: | The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it. |
|
|
Back to top |
|
 |
arnvidr Guru


Joined: 19 Aug 2004 Posts: 565 Location: Oslo, Norway
|
Posted: Sun Jan 20, 2013 10:57 am Post subject: |
|
|
Well, that was easy. Thanks BK! _________________
|
|
Back to top |
|
 |
tarpman Veteran


Joined: 04 Nov 2004 Posts: 1083 Location: Victoria, BC, Canada
|
Posted: Mon Jan 21, 2013 9:11 pm Post subject: |
|
|
That's what I get for answering the question as it was asked instead of analyzing the use case... I should know better!
Thanks for the wikipedia link BK. RPF is exactly what I was talking about but I didn't know it had a name. _________________ Saving the world, one kilobyte at a time. |
|
Back to top |
|
 |
arnvidr Guru


Joined: 19 Aug 2004 Posts: 565 Location: Oslo, Norway
|
Posted: Thu Feb 07, 2013 10:30 am Post subject: |
|
|
And everyone (me and tarpman) learnt something  _________________
|
|
Back to top |
|
 |
Bones McCracker Veteran


Joined: 14 Mar 2006 Posts: 1605 Location: U.S.A.
|
Posted: Thu Feb 07, 2013 8:00 pm Post subject: |
|
|
You can learn more at /usr/src/linux/Documentation/networking/ip-sysctl.txt (or something like that). _________________
patrix_neo wrote: | The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it. |
|
|
Back to top |
|
 |
|