LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Router headaches (https://www.linuxquestions.org/questions/linux-networking-3/router-headaches-34673/)

hotrodowner 11-05-2002 05:56 PM

Router headaches
 
My Linux server is on my school's network. But I want to access it at home. There is a router between the school's LAN and the Internet. The only way to access the server is to be on the school's side of the router. My school uses local class A address internally <EX: 10.*.*.*>. How can I get through the router to contact my server from home?

trickykid 11-05-2002 06:32 PM

Get with the admin and see if he can make access by opening up either a port or services, etc... for you. There's no other way, well probably, but that is something we don't tell people how to do here.

hotrodowner 11-05-2002 08:08 PM

I know what ports are open, but I don't know how to go through them to an inside IP address, I want to go through the router through the open port 22 and sftp my server that has IP 10.4.0.17

Mephisto 11-05-2002 08:18 PM

Since the address is in a non-routable subnet the only way I could think of to access the machine behind the NAT/router remotely would be to have the school network administrator to set up something for you. i.e. when the NAT gets a request on port 1025 forward it to 10.4.0.17:22

hotrodowner 11-05-2002 08:24 PM

how does a web site, I accessed, forward packets through the router to me? If they can get through to my port 80, why cann't I get through to port 22? <ps. the system administrator is in another county>

trickykid 11-06-2002 12:14 AM

Quote:

Originally posted by hotrodowner
how does a web site, I accessed, forward packets through the router to me? If they can get through to my port 80, why cann't I get through to port 22? <ps. the system administrator is in another county>
Because different services are using different ports. Your admin might have port 80 opened and forwarded for the website that server is running, but that doesn't mean you can telnet or ssh into that same server on port 22, cause its most likely blocked then or not forwarded to that IP on the network. If your admin has port 22 open, most likely he just has to make is so the request thru that port is forwarded to your 10.x.x.x IP or whatever..

terryfunk 11-06-2002 01:26 AM

There is another opensource way to accomplish this. It is called http tunnel. As the following website states, it creates a bi-directional connection through port 80

http://www.nocrew.org/software/httptunnel.html

manaskb 11-06-2002 07:43 AM

My thoughts on this. You are using NAT ( private IP address 10.x.y.z) , so you will not be able to access this IP address from a remote system outside your LAN.

Now what kind of router you have in between your server and the internet ? Check if your router supports port forwarding. If your router supports port forwarding your problem is solved.

If you have port forwarding, let me know I can help you out in this.
-Manas

trickykid 11-06-2002 08:23 AM

Quote:

Originally posted by terryfunk
There is another opensource way to accomplish this. It is called http tunnel. As the following website states, it creates a bi-directional connection through port 80

http://www.nocrew.org/software/httptunnel.html

Did you read his first post, the actual question and the rest of the posts, he doesn't need anything for http, port 80 or the such, he wants direct access, like ssh or telnet to login to his machine.

But apparently no one is reading my posts as well or hotrodowners. He is not the admin of the router, until the router is configured to do this, it won't happen or work most likely.

hotrodowner,

The first thing for you to do is to get with your ADMIN on this, there isn't anything you can do at this point til then unless you have actual access to the router, which for a school and your a student, I wouldn't think so.
If your school is behind that router, which I presume has a firewall along with it, only the admin will be able to set this up so you can have direct access to the server your speaking of. Unless he doesn't give you direct access which would totally make sense on a security type issue. So get with him/her and let them know what you want to do. They either say, yay or nay.

hotrodowner 11-06-2002 05:08 PM

so the only way to make contact with an internal IP is to have the router's table set to forward on a certain port to it?

Mephisto 11-06-2002 08:12 PM

Correct.

There are three non-routable IP ranges. 10.0.0.0 (subnet mask 255.0.0.0). 192.168.0.0 (subnet mask 255.255.0.0), and I forget the third 172 something. Regardless, if you have an address on one of these subnets then you can not communicate directly with the routable IP network.

What happens is your machine communicates with a NAT (Network Address Translation) router/gateway. The NAT takes the request from the inner private address then forwards it on to the net in general using it's own outer routable address. As far as any machine in the routable IP range is concerned the request came from and is returned to the NAT's outer address. When the NAT get's the response it can then forward it onto the original inner address.

Here is the crux of the problem, in order for a response to be forwarded to the inner address it must have been initiated from a machine inside the NAT. If the NAT gets a request (not response, a request) for say port 1025 it has no way of knowing which of the machines inside the non-routable range to send it to. Remember all communication from the outside world is actually going to one IP, the NAT's outer address, and then forwarded to any of the machines with non-routable addresses.

The way to get around this problem is port-forwarding. In essence you are telling the router/gateway "When you get a request on port X send that on to machine ###.###.###.### on port Y" where ### et al is a machine on the inner network.

So, the only viable way of directly communicating with your server is if you have the administrator set up port-forwarding for you. Keep in mind the requested port on the NAT and the destination port on your inner machine do not have to be the same. I usually only allow forwarding from the unpriviledged range of IP's.

DISCLAIMER: This is actually a bit of a simplification, though I made it as accurate as I could. Also to quelch the peanut gallery, there are other ways of establishing the connection (A relay being the most obvious), but if you want to do it drectly and with minimal aggravation of the Network Administrator Port Forwarding is it.

I hope that clarifies things.

Edit: content modified to clarify IP ranges/subnet masks

hotrodowner 11-07-2002 10:42 AM

Does anybody know how to make a school district's computer administrator listen to a high school senior?

trickykid 11-08-2002 08:52 AM

Quote:

Originally posted by hotrodowner
Does anybody know how to make a school district's computer administrator listen to a high school senior?
Money always works.. or a bribe, try to find something dirty on'em and threaten to tell the School Superintendent... ;) Just kidding.

Just present to them what you want to accomplish, know the pro's and cons of the task and work.. Outsmart them, make them know you know what your talking about might be one way to convince them.

But not sure though.. Been out of school for way too long it seems.

Mephisto 11-08-2002 09:11 AM

Not to show my age but we did not have internet connectivity at school when I was in high school. Good luck though.

trickykid 11-08-2002 11:21 AM

Quote:

Originally posted by Mephisto
Not to show my age but we did not have internet connectivity at school when I was in high school. Good luck though.
Yeah, we had computer labs with just several connected, but most of the time we didn't have access to them when I was in school. I do remember in 6th grade though, it was cool being in a Computer Lab class where we learned how to program in I think it was GWBasic.. ah well. Yeah, forgot to tell you good luck though with the Admin.

Mephisto 11-08-2002 12:51 PM

The computer lab at my high school had Apple IIe's, a couple of Apple II+'s and 2 pc's (386 or 486). None of which were networked.

The computer classes were in Basic, but by my senior year I was coding in Assembler. C was too eclectic to get a compiler for.

:D

peter_robb 11-08-2002 03:29 PM

You will find that the only way to be trusted is by being honest, all the time...

And unfortunately that don't always look cool...

Your school admin will have his reasons for not letting you get a foot in a door in that he will lose control of...
There are libraries full of hindsight on this one.
And the price for getting caught for doing it the sneaky way can be long lasting.
I'm sure the admin and the students think the other is the bad guy.

So I'd advise you to relax and look at the school as another one of those places you don't have priveleges. Their money, their choices...

Of course, keep learning, and quickly, but in a different venue with your rules...

hotrodowner 11-11-2002 05:17 PM

Ya'll make me look bad, I didn't learn how to use QBASIC till I was a Freshman, and then it was because I needed it on a boot disk to use EDIT.COM!! Well, I wish I knew more about programming than I did. I've tried to learn C, and then Java, but the bracks () and source code structure is hard for me to learn. Anyways, I think I'll ask my computer teacher to ask the administrator for me. He thinks I'm a genius because I got my Linux server set up with SFTP (SECURE!!! WO-HOO!!). Thanx for the help!

Mephisto 11-11-2002 06:37 PM

Don't feel bad. The main reason I started learning programming in the first place was so that I could get time in the coputer lab to play Tai Pan when the librarian was not looking. :) (The lab was in the library.)

But stick with it and you will get the hang of it. Programming is 50% study, 50% attention to detail, and 50% patience. Math helps too. :D

iamnotherbert 11-11-2002 10:08 PM

Ahhh grasshopper... An avenue to investigate is a vpn connection out of the school network to your computer at home. Then you can connect to your school pc's services from home over the vpn tunnel..

Worth a shot..

-d

hotrodowner 11-12-2002 07:20 PM

How do I create a virtual private network connection in Linux and connect to it in Windows?

Mephisto 11-12-2002 07:46 PM

While setting up a VPN or some other form of tunnel is a possibility make sure to get permission first. If the Network supervisor finds out about it and it comes down that no one in authority knew about it you could be in for a lot of trouble. Network administrators don't have a sense of humor about these things.

Again if you want to do it above board, port forwarding is your best bet. If you get permission to try and connect using whatever means are at your disposal then let us know and someone here can probably point you in the right direction.

Edit: Please help me I am starting to sound like my parents!!! I am not ready to be responsible!

Mephisto 11-12-2002 08:33 PM

I decided to throw caution to the wind.. a little. There are a number of ways to set up a bi-directional tunnel such as you need. I will explain how to do it with OpenSSH which will do nicely.

First on your Windows box you will need to install cygwin . Cygwin is in essence a POSIX shell for windows, which allows you to a number of nifty things but the main one for our purposes is to allow sshd to run on your windows box. Do a google search for sshd and cygwin and you will get a number of how-to's on set-up for sshd.

Once sshd is running on your Windows box, from your Linux box inside the firewall you can call the Windows box and tell it to forward certain ports on the remote box (Win) to certain ports on the local box (Lin) and vice versa. man ssh on your linux box will explain the port forwarding, the ones to focus on are -L and -R.

Provded you can get permission from anybody (even your teacher), if you get stuck drop another note and I will help further. Somebody else may help regardless but I have a conscience to soothe.

hotrodowner 11-13-2002 04:28 AM

Don't worry about permission. I have it from both my CET teacher and my CISCO teacher. I just cant get the system administrator to forward the packets because they think most all students are stupid and those that know anything about computers want to destroy them. <Despite the fact that I fix the computer problems on the campus after school.> Well, I think it would be a good learning experience because my CET teacher heard about VPNing but didn't understand it. I will get back to you (plural) with the results as soon as possible. Thanx for the help so far!!

Mephisto 11-13-2002 06:50 AM

What I am suggesting is not a true VPN, though I suppose it is close enough not to matter. If you want yo do a true VPN, IPSEC is one option. I use a (expensive) commercial solution so my experience on doing IPSEC by hand is limited.

Set up cygwin and try and get sshd working at a minimum. Also if you don't already have one set up a firewall on your Win box that you can selectively block ports on. Read up on PrtForwarding a bit as well if you really want to learn, I could walk you through it all but you won't learn as much.

hotrodowner 11-13-2002 05:56 PM

Actually, when it comes to learning, if I'm left with a book's worth of info. then I will usually give it a good effort, but it is usually to much at a time, so I just give up. If someone talks me through the basic, and I see that it worked when I did it, then I have the understanding to understand what I am reading. Then I will learn ALOT faster and understand it better.

So, your suggesting that the administrator tells the router to forward the packets to my server and then I can ssh it? I don't think I understand what you are saying. I need to get through the router and communicate between my home computer and the server, in both directions, without packet forwarding.

Mephisto 11-13-2002 07:06 PM

No here is what we will be doing, and the administrator can go hang, if you will pardon the expression. We will call your Linux box "L" and Your Windows box "W." From L you are going to call W and say "When you get a request on your IP for Port 8088 I want you to take that request and go ahead and give it to me (L) through this tunnel (SSH) I created, I will then treat that request as if it came across Port 21 (FTP Control)" Better yet Read This and see if you follow what they are talking about. We are simply going to reverse the procedure and set the remote machines port 8088 to forward to 21 on the local (-R instead of -L).

Right now I am concentrating on FTP but is there a specific protocol (HTTP, FTP, etc...) you wanted? Another thing to keep in mind is that I can not categorically state this will work, I understand networking fairly well but I have never tried to to do this through a NAT intiated from the server. I will give it a go this weekend as a sanity check, I have everything I need between home and work but can't play around with it during business hours. The bigest risk is what will happen if DHCP reassigns the IP address. I'm not sure.

Here is another choice from an older thread. Or we could try a different VPN. Finally there is the HTTP tunnel mentioned earlier. An HTTP tunnel is very similar in nature to the SSH tunnel I am describing. Since you have gotten permission, I am willing to help you try whichever you like until you get tired of trying.

I leave it up to you, check each option out, or find a different one and tell me how you would like to proceed. :study: It depends a lot on what you need the connection for. SSH is the easiest for me, others may give you more power. In the meantime I will see if I can find something that explains TCPIP port communication in terms that are not painfully obscure.

The way I have gotten around this (from my home system behind a NAT on a cable modem) is to have my Natted machine connect to a known relay in JXTA and then when I get into my office I open the peer and create a tunnel in JXTA, if the code for the tunnel worked right I would even suggest this route. But it will be months, maybe a year before I consider it functional. But since I have only been working on the code for maybe 5 or 6 hours I felt a need to brag. :D


I think we are down to the two of us BTW.... I have this instinctive fear someone else might have a better idea but have given up on the thread. Oh well, insecurity is it's own reward. Easily the longest I have stuck with a thread though.

Mephisto 11-13-2002 08:12 PM

Not to cloud the issue with the facts but on another thread Stickman mentioned CIPE which actually looks like a good solution to your problem. I never looked into it before but it looks sound and has a Win32 version. The CIPE athor also argues convincingly against the SSH tunnel method that i am recommending...

hotrodowner 11-14-2002 08:06 PM

I had time to think yesterday <about 4 hours!!> and I thought of the following idea:
1) set up a VPN server on Windows XP at home
2) set up a VPN share at school (on a Windows XP machine), and connect to the one at home through the internet
3) set up openssh on both XP computers <for use with SFTP and the telnet replacement>
4) go home and backtrack through the VPN tunnel with ssh.

I have one question though, I have never used a VPN before; will I be able to access the entire school network from the VPN connection, or is it just to the XP machine directly connected? In other words, will I be able to access the other machines attached to the network of the computer that is VPN'ing mine? If it wont go to other computers, thats ok, I'll just ssh the xp machine, then sftp my server, and then sftp the xp machine. It seems long, but I think it would work.

Mephisto 11-15-2002 01:46 PM

You won't need the SSH if you set up a VPN connection. So all you will need to do are steps 1,2, and 3 not counting the SSH part of 3. SSH using port forwarding performs the same basic thing as the VPN will but only on one port.

Read up on installing CIPE (link in an earlier message) since that looks to be the most promising route. Install it on both the server and the Win32 machine and we will go from there.

hotrodowner 11-15-2002 02:44 PM

So, I still have to set up a VPN? Now I think I need some VPN troubleshooting because I set Windows XP at home to accept connections, and windows XP at school to connect, but the machine at school said it couldn't connect. I could access my ftp server from internet explorer, but I just couldn't get the VPN going, so I'm assuming that the VPN connection is the problem. It could also be a block port on the router, but that is unlikely. I don't have a firewall enabled on either computer. I am now going to try a Windows XP VPN howto (the one on the help index said it was an unknown code). Wish me luck!!

Mephisto 11-15-2002 03:52 PM

You will either need to set up a VPN or SSH but not both. What VPN are you using?

To determine wheteher a particular port is blocked/available try this. Think of it as ping on steroids. This is a Win32 application. nmap in the Linux world does much the same thing.

hotrodowner 11-17-2002 08:23 AM

How do I connect using SSH if I can only talk to the router and it doesn't let me in?

By the way, (with VPN) will I be able to access computers on the same network as the CLIENT? I know the client can access the server's, but can the server access the client's LAN?

Mephisto 11-20-2002 06:39 PM

Quote:

Originally posted by hotrodowner
How do I connect using SSH if I can only talk to the router and it doesn't let me in?

By the way, (with VPN) will I be able to access computers on the same network as the CLIENT? I know the client can access the server's, but can the server access the client's LAN?

Sorry about the delay. Had to go onsite with a client for a few days.

As far as how do oyu connect with SSH. You can connect using SSH (or VPN for that matter) because you will be initiating the cnnection from the machine befind the router. Then when you get home you will use the already established connection to by pass the NAT.

In the case of a VPN the initiater of the tunnel effectively becomes part of the LAN segment at the destination. I.E. You Linux box as the initiator will become part of the LAN segment that the Windows box is on and will be able to acess things on that segment, if you do not restrict access through the VPN. It would probably be wise to restrict access though.

hotrodowner 11-20-2002 06:51 PM

I am unable to establish a vpn because the vpn port is blocked. I don't understand how to backtrack through an ssh tunnel, as far as I know, the connection is one-way. If someone ssh'ed my computer, I wouldn't even know it!! how can I backtrack to the host of the ssh connection when I am on the server?

Mephisto 11-20-2002 07:24 PM

Go to post 27 and read the page from the first link. That explains what I am suggesting except we will be reversing the portforwarding. i.e. from the remote to the local rather than from the local to the remote.

hotrodowner 11-20-2002 07:33 PM

I don't mean to be a bother, but I don't think I understand what I'm reading. This article says that I can forward packets on the localhost to those on a remote host. I cann't even see the computer around the router, how do I forward connections to a port if the computer cann't even be seen. I can see mine from inside the network, but I cann't see the school computer from outside the network. I need access to the computers' IP address, then I can handle it. Can I change the port VPN uses on the client and server?

Mephisto 11-20-2002 07:46 PM

Quote:

Originally posted by hotrodowner
I don't mean to be a bother, but I don't think I understand what I'm reading. This article says that I can forward packets on the localhost to those on a remote host. I cann't even see the computer around the router, how do I forward connections to a port if the computer cann't even be seen. I can see mine from inside the network, but I cann't see the school computer from outside the network. I need access to the computers' IP address, then I can handle it. Can I change the port VPN uses on the client and server?
What I am suggesting is that you cna forward the packets from the remote host to the local host. The reason you can do this is because the local host, not the remote, established the connection. And yes depending on the VPN solution you are using oyu could change the port it uses.

hotrodowner 11-20-2002 08:13 PM

So your saying I can connect to the outside computer from inside the network (by logging on to it with ssh), and then physically go to the outside computer, start ssh, and logon to the computer protected by the router?

hotrodowner 03-23-2003 02:18 PM

I think httptunnel might be a good idea, by what I think I understand about it. my situation now, is that I need to get to a ftp server inside the school. I figured if I could figure out how to use this software, then I could set up a server on the outside, a client on the inside, and then connect to the my home computer from the inside, go home, and then ftp my computer at school. Does anyone know how to use this software, or have another good idea for acomplishing this?

DavidPhillips 03-23-2003 11:38 PM

I think I would go wth ssh if you need a shell login.

The only way I can see it working reliably is for the router to do port forwarding to your internal system.

if you can do that then the ssh connection to the internet address will be forwarded to your internal system.


The other way would not require the router to be configured for port forwarding. However the internal machine would need to make the connection and establish a remote forward of a local port. It would also need to check the connection and if the connection was lost it would need to reconnect.


This would in a sense make the internal machine the client and your home system the server.

If the connection is made and a local port on the client is forwarded to the server's local port then a connection to the client can be made locally on the server.

DavidPhillips 03-24-2003 01:03 AM

For the connection itself this will work...

First lets setup ssh to run on two ports, one for normal ssh and the other for the remote connection..

I use port 513 because it's available on my systems



On the internal machine..

I assume sshd is already running and working on the normal port.

Start ssh on port 513...

Code:

sshd -p 513
Now connect to the ssh server on the machine available on the internet, and forward port 513...

Code:

ssh -R 513:localhost:513  www.yourhomeserver.com
You can use the ip address of your machine at home ( www.yourhomeserver.com) if you have no domainname

Now you will get the connection established


On the home machine...
Code:

ssh -p 513 127.0.0.1
The login prompt will be from the internal machine

Once the connection is established you will be logged into the machine inside the router. Any file transfers between the two machines can be established from the internal machine using ftp or whatever. The home server will be acting as an ftp server or sftp server, etc..


You can setup sshd to come up on port 22 and 513 in the

/etc/ssh/ssh_config file

You will probably want to set this up to use certificates instead of passwords, so you can do the connection from a script on the internal machine.

You will need a script on the internal machine that runs the ssh command, checks for the connection, and continues to try the connection when it fails.


Having a domainname for the home machine would be best. That way if your ip address changes for some reason you can fix the domainname from anywhere and the connection will be resumed without having to access the internal machine to change the script.

hotrodowner 03-25-2003 07:50 AM

I tried changing the port from 22 to 21, and internet explorer just gives me error messages. It worked for my web server on port 80, but not the ftp server. I just need to transfer files across it, I dont need remote logins.

DavidPhillips 03-25-2003 10:48 AM

you cannot do anything without port forwarding on the router.

The work around is the remote login. You can transfer files to and from anywhere on the internet once you are logged in.

hotrodowner 03-25-2003 11:13 AM

well, I can use the apache web server through the tunnel, so how can I make apache force a login to use it?

DavidPhillips 03-25-2003 01:32 PM

What tunnel

do you mean you have ssh connected and are forwarding port 80, and connecting to 127.0.0.1 on the client?


Ftp is different from http, it uses a ramdon port to connect on.


All you need to do is use a remote login and then connect to your server on the internet.

I guess you have no server on the internet and want to access the internal machine using a windows client. If this is the case you can setup http upload using cgi or perl and you could set / or any other folder as the http document root, so you can download anything you want to.

you need to make sure the server is only accessable from the local machine or this would be a gaping hole in your security.


The thing I am trying to say is that the best way to do this is to login to the internal machine, then you can use any method you wish to transfer files and do anything else. This of course requires a server on the internet to transfer files to. Otherwise this is going to become much more complicated. You are going to need to do a lot of configuration of the http server to provide file upload functionality. If however you just want to get files from the internal machine you can just download them. The problem is http is a sloppy protocol for file transfer. Files should probably be put into some zip format before download so they can be verified on the other end when they are unzipped.

You might want to look into scp ( a function of ssh ) as a possible solution if all you need to do is transfer files.



hotrodowner 03-25-2003 01:53 PM

You see, I'm using a windows version of openssh to make a reversable connection. If ftp wont work, then I just need to configure apache to only allow connections from people who have an account on both ends. You see, my teacher wants me to figure this out, so he can download and upload files from home. but I dont want just anyone from inside the school to go to his website and download files from the my documents folder. At least he would be able to download files from this.

DavidPhillips 03-25-2003 02:19 PM

ok,

You will need to setup apache to do http uploads and set the doc root or a virtual domain to a folder above where the files are.

You need to block all outside connections to the http server.

The connection to localhost on the client is actually a connection to localhost on the server.



The other choice....
I think there is a windows client for scp
have a look at putty for windows and see if it can do file transfers over the ssh connection.

DavidPhillips 03-25-2003 02:34 PM

putty also has psftp which works well for file transfer

you would just use it to connect to the local machine on the forwarded port, it uses ssh

hotrodowner 03-25-2003 03:59 PM

my teacher cann't function without a gui, dont ask me why he's our computer engineering teacher either. but he NEEDS a gui. do you know how to set those permissions in apache? I dont mean to be so cumbersome.


All times are GMT -5. The time now is 08:29 AM.