Hi guys

I've got a RH9 system on an intranet, behind a router, at home.

I can access it just fine from the intranet, when we're all behind the router in the house. I can SSH, view webpages off its Apache instance, etc.

I want to access this machine from work. As an experiment, I forwarded port 22 and 80 on my router, for SSH and HTTP access to the machine. I got my router's current IP at that time (my ISP assigns dynamic IPs, I'm just testing...) which only change when you switch the router off and on (it then gets a new IP each time).

However, I cannot get the Linux machine to respond either on 22 or 80. I then tried to access IIS7 running on my Windows 7 machine from work (obviously using the same router and temporary IP) at the same time, and that worked 100%. (I've got an assistant at home to help.)

E. g. my router is correctly configured, and if I know its external IP at that time, I can freely use it to access my Windows 7 machine's IIS instance, over the internet.

Any idea why my Linux machine refuses to communicate? I did a tcpdump on the Linux machine, and you can see me coming in over the router (some packets are listed that come from my work IP address) when I try both HTTP and SSH access on it. The packets are very few though, much less than when, for example, I come into the machine on the intranet in my house into port 22 or port 80.

So the router is definitely correctly configured and forwarding packets sent from "outside" to the correct ports.

Why does my Windows 7 machine respond normally on HTTP when I access it over my home router from work, but the Linux machine does receive at least some packets, but semantically it never responds?

I'm not running any form of firewall on the machine, I've already turned iptables off just to try and get this working.

Thanks!

Um, no, you don't want to expose this to the internet. RH9 is ancient, obsolete, unpatched and suffering from a whole host of security issues. Please, for the sake of the rest of us already putting up with hordes of spam-spewing zombies, if you want to experiment like this put a modern supported distro on that machine before allowing outside access.

May be firewall of your RH( configured to allow access only from your internal network?

And I too support what Hangdog42 said about using more recent distro.

Ok, I've managed to get hold of another system with FC11.

I also changed to a completely different locale, with a different router made by a different company.

It is still the same ISP (Telkom South Africa) but with another ISP account completely as well. Still on copper (ADSL) but in a completely different part of town.

I'm having the exact same issue here too... forwarded the relevant ports just like on the "first" router I was experimenting with. I wonder if this is something the ISP explicitly blocks on its network? E. g. not allowing its DSL end-subscribers to transfer SSH packets somehow?

How can I then still SSH "out" to online machines?

The most baffling part is that a Windows 7 machine at the new locale is -also reachable, just like the other one at the first locale was reachable - but the Linux machine again refuses to play ball.

I know of the security issues, but I disabled iptables and SELinux on this FC11 machine too, just to test (I'll put it back, no worries) - still nothing...

Thanks for the responses!

Regards,

That's the thing - it shouldn't be able to tell if a packet is coming in from my intranet versus the internet should it?

Here's my rationale.

The router at my "first locale" is also my switch - it has integrated Ethernet ports which I use. If I SSH from machine A on my LAN, say, with IP 192.168.0.4, the packets "come from" 192.168.0.4, which is fine and dandy, it is in the local subnet so the Linux machine responds and I can SSH into it (its IP is 192.168.0.1).

Now, if the SSH packets are generated by 192.168.0.2 (the router) shouldn't it behave in exactly the same way as it does if the SSH packets come from 192.168.0.4?

How does it "detect" that something comes from the local network (vs. the internet) if all it has is IP addresses that are all still in the same subnet?

Does forwarding of a port on a router though MEAN that forwarded packets still retain their original originating IP, and do not acquire the router's internal IP if they get transferred "inside"?

Sorry, big noob on this.

Thanks!

ISPs will frequently block commonly used ports. One way to test that would be to run SSH on a non-standard port, say something like 8022, and see if that allows a connection. You could get a little creative and have the router listening on a non-standard port, but forwarding to the standard port 22 on the SSH server.

Servers don't necessarily send outbound traffic on the same ports they are listening on. If you were to establish an SSH connection to a remote machine and then look at the netstat output, you'll see the outbound connection is probably coming from a high port number.

OK, this may blow the ISP blocking idea out of the water. If you can reach your Win7 machine from the outside, then obviously the ISP isn't blocking traffic (at least on port 80 if I understand what you're doing), and your port forwarding is working. Unfortunately, that means your going to have to do some digging into the log files to see if either the SSH server or the web server are complaining.

Technically, yes it can, but unless you've set up a firewall or tcp wrappers to do something about it, neither SSH nor Apache should care. Just to be sure, double check that your firewall is actually down and have a look at your /etc/hosts.allow and /etc/hosts.deny files to see if anything there might be causing an issue. You also might have a look at your SSH and Apache config files and see if they are blocking any traffic.

The original IP should be retained for external traffic, but I think that for internal traffic, it depends. If I access my web server using the domain name, my router's WAN IP address shows up in the Apache logs, but if I access it directly using the LAN IP, then the LAN address of the requesting computer is in the logs.

By the way, while FC11 is a nice step up from RH9, it is still obsolete and I believe unsupported. FC14 is the current issue and you really, really, really want to have a fully supported OS on any box you're exposing to the Internet. If you want to have this as a long term server, you don't want a fast moving distro like FC. Something like CentOS/RHEL, Debian, Slackware or one of the *buntu LTS releases are a much better choice.

1 members found this post helpful.

Thank your very much for your long and detailed reply.

You've given me some things to try at least. I'll go and play around and see what I can come up with.

Thanks again for the advice.

Much obliged!

Does the internet side of your modem have an Internet IP address, or is it in one of the private ranges. Some DNS ISPs issue IP addresses in a private range, which means you are behind their NAT router as well, and traffic originating from outside the ISP's network can't initiate a connection.

The ports that are normally blocked by an ISP are the ones used for email (to cut down on spam from infected computers) and the ports for Windows file sharing.