Hi again,

I have a DNS account with my ISP, and i can ssh to a remote server, but im unable to ssh back to me, mainly because my IP starts with 10.158..... with means that is not a real IP, but when logged on the other side,
if i do a netstat my incoming connection to the server looks like a IP.always.the.same : port , but ssh,telnet or else to that port is useless. How i can connect back to me? maybe a special software? IP tunneling has something to do with it?

Thank you in advance

Hano

I don't realy know but:
Do you have a ssh server running?
And is the port not blocked by you firewall?

both machines have sshd on, i can ssh on localhost, and i can ssh on a remote server,
both i cant ssh back, the question really points at understand that:

when i do netstat on the remote server i get, (among others) my own connection logged,
and it shows the REAL IP of the most external server of my ISP ( i check this with traceroute)
and plus that real IP, its show the port from where the incoming connection comes., BUT
i cant connect BACK to me through that port, like it was kind of unidirectional...

how can i overcome this to get back a "tunnel" to my localhost?


Hano

i dont really understand what you have setup, but i have a "fake" IP "192.168.." and in order to ssh to my machine i had to set up port forwarding through my rounter to send all telnet,http,ssh and whatever else (i didnt really forward telnet as it is unsecure). are you connected to another computer or router that has a REAL IP??? if so...do you have access to it and can you get requests on the desired ports to forward to your machine??

how do you forward a port?

the remote server actually have a real IP, (159.90.... ) but i meant that the real IP
i saw was the REAL IP of my ISP (200.14 .... : port ) where i see this? when, logged
with ssh on the remote one, i did netstat to see the states of the ports , and of course
the connection where i came from appears there...



Hano

sorry for just now replying:

to set up port forwarding on the Linksys router:


from a computer conected to it type : http://192.168.1.1 or what ever the router IP is (not the one assigned by your ISP but the private IP). a login screen should come up..login if you have already set it up (if not instructions on 1st time login should have come with the router.......if you dont have em let me know and ill dig up mine). go to Advanced Setup ....the go to Forwarding (if its like mine these will be tabs at the top) type in the port number you want to forwared and the IP address of the computer you want forward to example

Port 80 ~ 80 IP: 192.168.1.100

that will forward any request for port 80 (HTTP) to the computer with virtual IP 192.168.1.100....if a webserver is running then it will return a webpage to whoever requested it from the outside world..in order to get to the page the outside world must use the IP that was assigned by your ISP. for instance if you ISP gives you an IP of 68.134.255.4 and you have forwarding set up as above.. if i type http://68.134.255.4 your router will forward the request for the website to the computer on the network with the 192.168.1.100 IP.

hope that helped.

yes, but probably my ISP doesnt want me to receive outside requests! so loggin to the router is not easy (you mean the most extern ISP server, or just the most near to me?)

...but again, when i im requesting from inside to connect to someone outside, How my ISP knows that any answer to my call is actually an answer and not a request? probably because he knows i just asked something, and the ISP router i guess takes care of looking that for me and giving it to me, or just letting incomes when they were asked first for inside. But may be its there some way of fooling him ... so just guessing:

if im constantly connected to a remote host which i can access, which can receive ftp and ssh requests, so in principle my machine can listen from that host. The most primitive thing i think its a script that constantly reads a file on the remote server where i can pass (from the outside) a parsable message to my invisible-thru-ISP host where i ask him for example, to upload certain file.

But that its just the most primitive thing i can think out, but im sure there are a cleaner way of doing this


THANKS!

you really kinda lost me there...but i'll do my best...


Your ISP probably doesnt care if you recieve requests at all....all they do is provide you with internet access by givin you an IP address (a real one). Whatever requests is made to that IP address..such as a request for a web page...will be sent to the compuer connected to it....the ISP wont stop the request (if they are...get a new ISP, but i doubt that's the case at all). Now if the physical line into the house that provides you internet service goes into a rounter, all requests on the IP address that the ISP gave you will hit the router. Now if the router has forwarding set up....it will forward requests for certain ports to the computer you assign....example:

assume your ISP gives you the following IP: 1.2.3.4
assume your computer has an IP of :5.6.7.8 which is a "fake" IP givin to it by the router.

if i type http://1.2.3.4:80 in a browser not on you network (or on it) ..it will be sent to your router(because that's the IP your ISP gave you)...if you have port forwarding on and you have the router sendin requests for port 80 to the computer with address 5.6.7.8 ....the router will direct the original request for 1.2.3.4:80 on to 5.6.7.8:80 without me ever knowing there was even a router in place at all.....like a middle man without the delay. as far aw you ISP goes..all they did was facillitate to whole thing by allowing you access to the internet and assigning you an IP address that can bee seen by the world....which again is outside IP address of the router.

i hope i explained it ok....if not let me know what confused you... and remember...the web page example can aply to any port you want you forward. 21,23,80,27015...whatever you want .

i must re-iterate...if you ISP is not allowing incomming requests on the IP address they assigned you....call em up...cuss em out..and get a new ISP (who is your ISP???)

My ISP is also the f*cking one-and-big phone company around here (CANTV) who also owns the whole network infrastructure that goes into every home... but besides this pissing situation this is what i do to know who i am:

on my machine i do a netstat -r to check my eth0 device:

# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.xxx.xxx.112 * 255.255.255.240 U 40 0 0 eth0
127.0.0.0 * 255.0.0.0 U 40 0 0 lo
default dhcp-0.dslxx-05 0.0.0.0 UG 40 0 0 eth0

so to check i do

# ssh 10.xxx.xxx.112
Secure connection to 10.xxx.xxx.112 refused.

but there's more fun yet: if i traceroute to it i get:
# traceroute 10.xxx.xxx.112
socket: Permission denied

ouch! then i check and do

# ssh 10.xxx.xxx.114
root@10.xxx.xxx.114's password: (my password)
Last login: Sun Apr 21 15:52:56 2002 from dhcp-1.dslxx-0x-0y-0z-w-k.cao.dsl.cantv.net
/usr/X11R6/bin/xauth: (stdin):1: bad display name "dhcp-1.dslxx-0x-0y-0z-w-k.cao.dsl.cantv.net:10.0" in "add" command
Caution - you already had IA32ROOT set - your PATH could become excessively long
#
I have login! its my own machine! ...So im 10.xxx.xxx.114, at least locally, to figured out who i am seen from outside, i log to a remote machine im my university:

#ssh hano@159.xxx.yyy.zzz
hano@159.xxx.yyy.zzz's password: (my password)

when logged, i try to log back to my machine
[hano@159.xxx.yyy.zzz]# ssh 10.xxx.xxx.114
Secure connection to 10.xxx.xxx.114 refused.

i doesnt let me log on my machine!!
what is going on here?? so i do a traceroute to my machine to check what are the steps to my machine:

[hano@159.xxx.yyy.zzz]# traceroute 10.xxx.xxx.114
traceroute to 10.xxx.xxx.114 (10.xxx.xxx.114), 30 hops max, 38 byte packets
1 159.xxx.yyy.1 (159.xxx.yyy.1) 1.280 ms 1.125 ms 1.104 ms
2 159.xxx.yyy.1 (159.xxx.yyy.1) 1.549 ms 1.374 ms 1.334 ms
3 159.xxx.yyy.1 (159.xxx.yyy.1) 1.262 ms !H * 1.346 ms !H

so it doesn't help much. apparently 10.xxx.xxx.114 is not a real IP, so, to figure out what are my "real" IP, i supposed that this remote machine must know from whom he is listening my ssh!
that's the reason for me to do a netstat on this remote machine:

[hano@159.xxx.yyy.zzz]# netstat | more
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 40 159.xxx.yyy.zzz:ssh 200.aaa.bbb.6:2456 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 1 [ ] STREAM CONNECTED 41986 @0000026a
unix 1 [ ] STREAM CONNECTED 41993 @0000026c
unix 1 [ ] STREAM CONNECTED 41983 @00000269
unix 1 [ ] DGRAM 49140 /dev/log
unix 0 [ ] STREAM CONNECTED 21926 @000000f2
unix 0 [ ] DGRAM 51307

... other irrelevant stuff

but the relevant stuff is the listening ssh connection from 200.aaa.bbb.6 on port 2456 (every time i log the port its different, but always from 200.aaa.bbb.6)

but who is this 200.aaa.bbb.6? just to check out i logout and get back to my home machine, then i traceroute from here to this weird server...

# traceroute 200.aaa.bbb.6
traceroute to 200.aaa.bbb.6 (200.aaa.bbb.6), 30 hops max, 38 byte packets
1 dhcp-0 (10.xxx.xxx.113) 0.849 ms 0.791 ms 0.765 ms
2 lo0.lac00-nrp2.cnt.dsl.cantv.net (172.17.1.62) 67.239 ms 65.914 ms 66.128 ms
3 fe1-0-0.core-00.cnt.dsl.cantv.net (172.16.1.3) 67.713 ms 67.625 ms 67.863 ms
4 fe0-0-0.lac00-nrp2.cnt.dsl.cantv.net (172.16.1.62) 65.761 ms 67.586 ms 66.107 ms
5 fe1-0-0.core-00.cnt.dsl.cantv.net (172.16.1.3) 67.724 ms 67.681 ms 67.879 ms
6 fe0-0-0.lac00-nrp2.cnt.dsl.cantv.net (172.16.1.62) 65.961 ms 69.413 ms 64.387 ms
7 fe1-0-0.core-00.cnt.dsl.cantv.net (172.16.1.3) 67.715 ms 69.372 ms 66.129 ms
8 fe0-0-0.lac00-nrp2.cnt.dsl.cantv.net (172.16.1.62) 64.235 ms 67.666 ms 66.190 ms
9 fe1-0-0.core-00.cnt.dsl.cantv.net (172.16.1.3) 67.622 ms 99.199 ms 69.313 ms
10 fe0-0-0.lac00-nrp2.cnt.dsl.cantv.net (172.16.1.62) 66.005 ms 67.663 ms 67.846 ms

and it goes and goes... after a while of this ping-pong, it just stops. So, my ISP wanna mess with my mind,
actually the ISP want to bribe people making you pay a LOT more to get off your back these problems, and they assure you you have a dynamic IP assigned by the DHCP, but i have checked it out and locally im ALWAYS 10.xxx.xxx.114 !! and when i log to a remote host, im always listened from 200.aaa.bbb.6!!

please, help me figure out!

Hano

just to back track...didnt you say you were connected to a router?
If so then yes you will always have the same IP address because routers assign them (correct me if you arent connected to one). And you last post kinda lost me because im not used to using netstat or trace route much at all, i just use ifconfig and ping for my networking issues, they usually tell me what i want to know. But yea..if you are connected to a router then you IP will be static but the dynamic IP is the IP assigned to the router by your ISP.

sorry for not being clear; im connected with a DSL cisco 677 modem to my phone line (my phone provider its also my Internet provider) all the medium steps you see on the results on traceroute all belong to servers on the ISP network.

traceroute essentially sends messages to remote hosts and trace the route (hence the name) thru every host he encounters until it arrives to the targeted host.

Hano

dns2go

I use this free service to access my home lan from the outside, even though I have dynamic ip address from my isp. works great! just ssh to your new dns2go url, and off you go.

plus, they have a linux client too! works great.

(sorry too sound like an ad, but I've been using this service for a while now, and it helps a lot.)

hey! it looks like a solution! but tell me something:

1) if you ssh / rsh / telnet / ftp / sftp to the domain name they give you (deerfield) you can log on your box?

2) it's free or have a fee?


Hano

1. yes, I do it all the time: ssh -2l user yoursite.com

(once you connect, ssh will ask if you want to accept the keys from that site - say yes, and off you go. then, a few days/weeks later, when you get a new ip from your ISP, and you connect again, ssh will ask again if you want to accept the keys, because the ip address has changed. that's it!)

2. free for non-commercial use

have fun!

(you can use the same domain name you get from them to make any kind of internet connection: ssh, ftp, http, etc. also, there are a few other sites that offer the same type of service - if you don't like deerfield for some reason, I'm sure you'll be able to find another.)