miércoles, 18 de febrero de 2009

Quickfix: My ISP is blocking connections to one of my ports


Recently, one friend of mine wanted to show me something he was creating that he had running on a web service at his own box. He was connected directly to the internet and so he provided me with his address like this:


x.x.x.x being his public IP address. It failed miserably. I couldn't see what he had up there. He then told me that people could see it remotely when he was at home, but that he was at his workplace and didn't know what was going on. I told him that probably his ISP was blocking requests to port tcp 80 and that's why it didn't work. I told him (to make sure) to do a brief tcpdump to make sure that traffic wasn't arriving at his box on that port:

tcpdump -i eth0 -n tcp and port 80 and host y.y.y.y

y.y.y.y being my public address, so that only the traffic I was about to send to his box would be displayed. -n is used so that tcpdump doesn't try to do a "reverse name resolution" of our IP addresses. I do this from my box:

telnet x.x.x.x 80

After some seconds, his tcpdump output is completely mute. Well.... it's his ISP the source of the problem after all. I know that normally one ISP won't block all new requests to a destination port, only some ports are banned (for security reasons, I guess). So I wonder that we could simply use another port. I tell him to redo the tcpdump but listening on port 8080. But (without having tried) he complained saying that he didn't want to change the configuration of apache to listen on another port. I tell him to relax and let go. He won't have to do that.

tcpdump -i eth0 -n tcp and port 8080 and host y.y.y.y

Then I redo the telnet to the new port:

telnet y.y.y.y 8080

And there he had some output on tcpdump. I get a connection refused message (because he had no service running on that port). What it all means is that his ISP is not blocking that port. Tip: tcpdump will show you traffic that arrives at a box, doesn't matter if you have netfilter rules on FORWARD or INPUT that will block that traffic or if there's a service running or not on that port.

Now comes the trick: How to make apache listen on that port without changing its configuration?

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j REDIRECT --to-port 80

The REDIRECT target of iptables is used to tell iptables to change the target of those packets, no matter what the target of those packets be, to the box that's processing those packets to a given port. And there you have it. After running that command, I could see what he wanted to show me without having to change anything on his apache configuration.


And the content was there.

Oh, you are running windows and want to do the same thing, you say? I guess you have to get yourself an ISA Server to be able to do NAT (though I could be wrong, of course) or download some virus-ridden piece of freeware that you could find out there that will do that... plus turning your computer into a zombie, as a gift feature. In other words: Why don't you get a nice LiveCD (didn't say what distro or what operating system) and start tinkering with a real OS? If you were able to figure out that it was your ISP that was blocking the requests to a port in your own box, it means you already have the basic ingredients.

Take care!

No hay comentarios:

Publicar un comentario