Find the answer to your Linux question:
Page 1 of 3 1 2 3 LastLast
Results 1 to 10 of 26
Like Tree1Likes
My ISP (Telus) blocks ports. I have vsftpd running and it works great on my LAN, but cannot be reached from outside. Ports are all forwarded, server's in the DMZ, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux User
    Join Date
    Dec 2011
    Location
    Turtle Island West
    Posts
    417

    ISP blocks server ports. Is there a way to get around this?


    My ISP (Telus) blocks ports. I have vsftpd running and it works great on my LAN, but cannot be reached from outside. Ports are all forwarded, server's in the DMZ, blah blah. I used to get these things going for other people.

    I had a chat with a Telus tech and he said ports 20/21 are blocked for security reasons. I told him I'm not worried about security, could he un-block them please.

    He said, to quote, "Unfortunately no. It's not only with your account's security but with other's also. Many clients' computers are used as FTP servers to store illegal files and transfer viruses."

    Well, people use email to transfer illegal files and viruses too, and they don't block that.

    So I thought, "Well, screw them. I'll run on a strange port."

    So I set up vsftpd to use 2120 and 2121. Works great, from my LAN. But, from outside, instead of getting:

    "Access to this port is disabled for security reasons"

    I get:

    "Could not connect. FTP server may be too busy."

    And there's nothing whatsoever in the log file, so vsftpd isn't even seeing the connection attempt.

    Has anyone ever got this working? It seems pretty rude of Telus to tar everyone with the same brush, and it's not their job to decide what I do and don't do with my connection.

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,410
    I wouldnt work around that.
    Cancel the contract. Immediately.
    Because they are blocking legitimate use. ftp is merely a tool.
    Also the trust to this isp is broken, as he implies -without reason- that you are a criminal.
    You must always face the curtain with a bow.

  3. #3
    Linux User
    Join Date
    Dec 2011
    Location
    Turtle Island West
    Posts
    417
    Yes. I agree completely, and your recommendation is _exactly_ what I've been pondering for the last few hours. But...

    Around here (Vancouver BC) we have 2 choices for internet: Shaw (cable network) and Telus (tel network). Outside of dial-up, of course, and you can't go back to dial-up once you have broadband. In order to have internet you must use one of these 2 providers, as far as I know. If someone knows differently, please pipe up.

    Now, it would be _very_nice_ if I could tell my modem/router who to talk to when it comes to DNS and stuff. But that's not possible. It talks to exactly who it's programmed to talk to and there is no way to change it. I can't even tell this router which address ranges I want it to poop out for my LAN.

    It's Actiontec router:
    Model#: V1000H
    Serial#: CVGA1311803305
    MAC Address: A8:39:44:D3:48:C1
    Firmware Version: 31.30L.55

    And I know if I cancel my contract they're going to want the thing back.

    What would be nice is to buy a nice DSL modem/router that I can instruct in all things. Use the phone line, but talk to who I want to talk to, and not the Telus Nazis.

  4. $spacer_open
    $spacer_close
  5. #4
    awc
    awc is offline
    Just Joined! awc's Avatar
    Join Date
    Aug 2012
    Location
    North America
    Posts
    40
    If you can SSH into your LAN from outside then you can use sftp instead.

  6. #5
    Linux User
    Join Date
    Dec 2011
    Location
    Turtle Island West
    Posts
    417
    Nope. Port forward 22 TCP/UDP and nothing.

    As an experiment, I port forwarded pretty much everything. I turned the modem's WAN ping response off, and now pings are getting through to my server.

    I'm playing around with rpcinfo, but I've never used it before. It seems to probe ports. Does anyone know how to do this properly?

  7. #6
    awc
    awc is offline
    Just Joined! awc's Avatar
    Join Date
    Aug 2012
    Location
    North America
    Posts
    40
    What you need to do is port scan your external IP. If you don't have an external box to scan from, then use the web based Nmap Online by Domain Tools

    Paste the following into the Custom Scan field, insert your IP, and run it

    Code:
    -T5 -sS -p 1-65535 your.ip.address
    The scan takes awhile, roughly 10 minutes. Any ports that are listed as closed can be used. Any ports listed as filtered are firewalled. Whether they're firewalled by your router or higher up at your ISP is something you'll have to figure out by tinkering with your router.

    Be aware that the Domain Tools scanner only allows you to do 10 scans per day, so use them wisely.

  8. #7
    Linux User
    Join Date
    Dec 2011
    Location
    Turtle Island West
    Posts
    417
    Interesting. I had tcpdump running when I did that and you wouldn't believe what it had to say. Boy, the cuss words coming out of that thing would make you blush.

    I did 1-10000 and this was the result:

    Host is up (0.20s latency).
    Not shown: 9991 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    80/tcp open http
    111/tcp open rpcbind
    659/tcp open unknown
    2049/tcp open nfs
    2121/tcp open ccproxy-ftp
    6000/tcp open X11
    7547/tcp filtered unknown
    8080/tcp open http-proxy
    Nmap done: 1 IP address (1 host up) scanned in 96.85 seconds

    So why doesn't ssh work from outside? When I do rpcinfo on port 22 it just sits there waiting.

    I had httpd running at the time too. After it was done port scanning, my PC started sending off stuff like crazy and simmered down after I shut down httpd. The scan sure sent apache into a tizzy. And ssh also. What's with that? The website might be a little suspect. Perhaps they're doing stuff they shouldn't.

    Anyway, if I hit my external address on port 80, I get the stupid freaking modem, not my httpd. Who wants to talk to a modem?

    So far, my best guess is that there is something very funny going on with my Telus ADSL Actiontec modem/router and I want to ditch it, as a previous poster wisely recommended. This thing is meant for *Doze users only.

    I found a local ISP that has nothing to do with the big conglomerates. They give 10Gigs for $10 at 10Mbps and the ADSL modem is free. You supply your own router and expertise. $1/Gig after that. Seems reasonable. I think I'll try them out. There website is simple and straightforward, and they answered my email in a couple hours. Vancouver BC ISP | Urban Networks Inc. <- shameless plug, I haven't actually tried them yet.

    BTW I think this site is a litte suspect also, expanding my urls like that. Nasty. You shouldn't do that.

  9. #8
    awc
    awc is offline
    Just Joined! awc's Avatar
    Join Date
    Aug 2012
    Location
    North America
    Posts
    40
    Quote Originally Posted by Miven View Post
    Host is up (0.20s latency).
    Not shown: 9991 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    80/tcp open http
    111/tcp open rpcbind
    659/tcp open unknown
    2049/tcp open nfs
    2121/tcp open ccproxy-ftp
    6000/tcp open X11
    7547/tcp filtered unknown
    8080/tcp open http-proxy
    Nmap done: 1 IP address (1 host up) scanned in 96.85 seconds
    According to the nmap results, you should have no problem connecting into your network. I'm assuming that for each open port you've forwarded the port to your server.

    Try ssh-ing to your external IP and use -v to show more details. That should give you some idea of what's happening. Maybe something is blocking outbound connections except dest_port 53,80,443. Maybe, but not likely

    Quote Originally Posted by Miven View Post
    Anyway, if I hit my external address on port 80, I get the stupid freaking modem, not my httpd.
    Look for a remote administration option to turn off. The web console shouldn't be accessible on the external IP. You really don't want to give the script kiddies access to your router.

  10. #9
    Administrator MikeTbob's Avatar
    Join Date
    Apr 2006
    Location
    Texas
    Posts
    7,864
    Quote Originally Posted by Miven View Post
    BTW I think this site is a litte suspect also, expanding my urls like that. Nasty. You shouldn't do that.

    That is the forum software, I am not sure we on the mod team have access to fiddle with those controls.

    In other news. you can disable the options: "Auto parsing of links" and "Automatically retrieve titles from external links" on the reply screen. You have to look for it, it's easy to miss. I also think it's only available on the full reply screen and not the quick reply screen.
    I do not respond to private messages asking for Linux help, Please keep it on the forums only.
    All new users please read this.** Forum FAQS. ** Adopt an unanswered post.

    I'd rather be lost at the lake than found at home.

  11. #10
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Most ISP's are either blocking or starting to block ports ranges 1-1024. The reason for this is because you signed up as a private user and as a private user you should not be running any services and if you want to run services then you should be paying the higher price for your usage. I am sure if you look at your contract it might even state that you are only allowed to connect 1 PC to the internet also.

    As for your statement;
    Has anyone ever got this working? It seems pretty rude of Telus to tar everyone with the same brush, and it's not their job to decide what I do and don't do with my connection.
    While you think it is not their job, it is their connection to require what they wish from you to use it. You are only paying to utilize the connection you do not own it. Same as the software you use on your computer. You are paying for the right to use it it is not yours and someone else owns it. As is the with GNU software. You don't own it but you are normally given the right to do with it as you see fit.

    Host is up (0.20s latency).
    Not shown: 9991 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    80/tcp open http
    111/tcp open rpcbind
    659/tcp open unknown
    2049/tcp open nfs
    2121/tcp open ccproxy-ftp
    6000/tcp open X11
    7547/tcp filtered unknown
    8080/tcp open http-proxy
    Nmap done: 1 IP address (1 host up) scanned in 96.85 seconds
    I take it you run this scan locally and not from the outside. Running the same scan from the outside should get you nothing is open for 1024 and below. Of course this would all depend on how your service provider is blocking things.

    He said, to quote, "Unfortunately no. It's not only with your account's security but with other's also. Many clients' computers are used as FTP servers to store illegal files and transfer viruses."
    This is a standard answer to which 99% of the users would agree to as they do not have a clue what they are doing or how to protect themselves.

    Now on to how to get around this. It is simple enough and will require you to know what you are doing and how to reprogram your services that you want to access. It is going to also require you to use ports above 1024. You should be able to use Google to search how to changing listening port for the services you want to use.

    Once you have that figured out and setup it is just a matter of insuring that those ports are forwarded onto your system.

    Example I will use is SSH. SSH normally listens on port 22 but we know that is blocked so we need to change that port to something over 1024, so lets chose 22022. Now you need to configure SSH to listen on that port (use Google if you don't know how that is done). Once completed you need to ensure that your router knows to allow that port through and where to send it. Once you have that completed you just need to test it from the outside.

    In short, any service you want to use youjust have to move the listening port above the block pool of ports. This will work until the ISP's catch up and running STATEFUL firewalls and start blocking all NEW connections at which time nothing you do, short of paying for a business class access, will work

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Page 1 of 3 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •