I need to use Ports 27177 and 27178 but, every Port Checker I can find says they are blocked.
My iptables setup ( for ) now is:
Incoming Packages- Accept Forwarded Packets- Accept Outgoing Packets- Accept
The way I understand it, that means NO Ports should be blocked. Am I barking up the wrong tree and need to be checking with my ISP?
I think I should be but am just looking for a sanity check!
Mike D.
On Sun, Mar 18, 2012 at 09:21:03PM -0700, Mike Dwiggins wrote:
I need to use Ports 27177 and 27178 but, every Port Checker I can find says they are blocked.
You need to explain a bit more about your setup. What does the network you're on look like, from which system to what system are you trying to connect, and does "netstat" report the ports open on the host you want to connect to?
My iptables setup ( for ) now is:
Incoming Packages- Accept Forwarded Packets- Accept Outgoing Packets- Accept
Yes, this means iptables is turned off (or allowing everything - you can't really turn it off). But that's just on that host. It doesn't count for any other system in between, firewalls, routers etc.
The way I understand it, that means NO Ports should be blocked. Am I barking up the wrong tree and need to be checking with my ISP?
If you're bringing your ISP into this, then your personal home firewall is the least of your problems. Most ISPs will block some traffic but they rarely block everything. That said, if you're using a standard NAT setup, then you're blocking yourself unless you setup some port-forwarding rules. And even then, you may have issues depending on the protocol you want to use on those ports.
I think I should be but am just looking for a sanity check!
I think you're looking at this in the wrong place. If you want remote access to your network, it's your gateway/firewall that's important. Yes, the ISP may also be blocking you - there are ways to test that too. Be aware, that most ISP/'s condition of use makes it very clear they can disconnect you if they find you're hosting services. Of couse the key word here is "find".
Regards Peter Larsen
On 03/19/2012 12:21 PM, Mike Dwiggins wrote:
I need to use Ports 27177 and 27178 but, every Port Checker I can find says they are blocked.
My iptables setup ( for ) now is:
Incoming Packages- Accept Forwarded Packets- Accept Outgoing Packets- Accept
The way I understand it, that means NO Ports should be blocked. Am I barking up the wrong tree and need to be checking with my ISP?
I think I should be but am just looking for a sanity check!
Do you have a service running on those ports? If you don't they will show up as "closed" even if not blocked by a firewall.
This takes a restart from scratch!
My base Network setup was a wired Network which got it's DHCP from a Linksys Wireless gateway. The WAN connection to the Linksys was through a Fedora 14 Server.
I have two Servers both of which have a Fixed Routeable address from my ISP. I was working just fine with my below described Firewall setup until I tried to connect a DirectTV HD DVR via the Network. This is when I found the blocked Port problem as described below.
The first reply I got asked what system-config-firewall showed, it seemed like a reasonable question so I ran the program. I looked and the program had nothing about the ports in question so I closed it!
Immediately thereafter I could get nothing through the Server out to the Internet! I can ping to the output address of the Linksys but, nothing further from inside the house. I can access the Internet from the server but not from behind it. It seems the problem has just gotten worse and I have no idea how.
ip route shows a valid routing from the interior facing port to the exterior facing port but, nothing seems to pass.
I am for sure in over my head here!
Mike D.
On Mon, 03/19/2012 12:18 AM, Ed Greshko Ed.Greshko@greshko.com wrote:
On 03/19/2012 12:21 PM, Mike Dwiggins wrote:
I need to use Ports 27177 and 27178 but, every Port Checker I can find says they are blocked.
My iptables setup ( for ) now is:
Incoming Packages- Accept Forwarded Packets- Accept Outgoing Packets- Accept
The way I understand it, that means NO Ports should be blocked. Am I barking up the wrong tree and need to be checking with my ISP?
I think I should be but am just looking for a sanity check!
Do you have a service running on those ports? If you don't they will show up as "closed" even if not blocked by a firewall.
-- Do not condemn the judgment of another because it differs from your own. You may both be wrong. -- Dandemis -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On 03/19/2012 05:02 PM, Mike Dwiggins wrote:
This takes a restart from scratch!
My base Network setup was a wired Network which got it's DHCP from a Linksys Wireless gateway. The WAN connection to the Linksys was through a Fedora 14 Server.
I have two Servers both of which have a Fixed Routeable address from my ISP. I was working just fine with my below described Firewall setup until I tried to connect a DirectTV HD DVR via the Network. This is when I found the blocked Port problem as described below.
The first reply I got asked what system-config-firewall showed, it seemed like a reasonable question so I ran the program. I looked and the program had nothing about the ports in question so I closed it!
Immediately thereafter I could get nothing through the Server out to the Internet! I can ping to the output address of the Linksys but, nothing further from inside the house. I can access the Internet from the server but not from behind it. It seems the problem has just gotten worse and I have no idea how.
ip route shows a valid routing from the interior facing port to the exterior facing port but, nothing seems to pass.
Let me just say that I'm a bit confused. When someone asks about ports and them being closed it refers to "inbound" connections. But, now you seems you are tying to make a connection to the internet from behind a F14 system (acting as a firewall?) and can't connect....for example to http://fedoraproject.org/.
So, is your problem trying to access the internet or the internet trying to access a server ?
On Mon, 03/19/2012 02:19 AM, Ed Greshko Ed.Greshko@greshko.com wrote:
On 03/19/2012 05:02 PM, Mike Dwiggins wrote:
This takes a restart from scratch!
My base Network setup was a wired Network which got it's DHCP from a Linksys Wireless gateway. The WAN connection to the Linksys was through a Fedora 14 Server.
I have two Servers both of which have a Fixed Routeable address from my ISP. I was working just fine with my below described Firewall setup until I tried to connect a DirectTV HD DVR via the Network. This is when I found the blocked Port problem as described below.
The first reply I got asked what system-config-firewall showed, it seemed like a reasonable question so I ran the program. I looked and the program had nothing about the ports in question so I closed it!
Immediately thereafter I could get nothing through the Server out to the Internet! I can ping to the output address of the Linksys but, nothing further from inside the house. I can access the Internet from the server but not from behind it. It seems the problem has just gotten worse and I have no idea how.
ip route shows a valid routing from the interior facing port to the exterior facing port but, nothing seems to pass.
Let me just say that I'm a bit confused. When someone asks about ports and them being closed it refers to "inbound" connections. But, now you seems you are tying to make a connection to the internet from behind a F14 system (acting as a firewall?) and can't connect....for example to http://fedoraproject.org/.
So, is your problem trying to access the internet or the internet trying to access a server ?
It started as trying to access inbound for the two ports in question. It has now morphed into connecting either way on anything. I am about to the point that I am going to start saving website and Apache configs and rebuild the darn server!
Mike D.
-- Do not condemn the judgment of another because it differs from your own. You may both be wrong. -- Dandemis -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On 03/19/2012 05:42 PM, Mike Dwiggins wrote:
It started as trying to access inbound for the two ports in question. It has now morphed into connecting either way on anything. I am about to the point that I am going to start saving website and Apache configs and rebuild the darn server!
You didn't say it specifically, but is doing a cursory search about the ports you mention would I be correct in thinking you want to place your DirecTV DVR on the network such that you can get access to it via something like their Android app? But, there is a "Fedora Server" between your ISP router and the DVR?
If that is the case, then you would have had to set up port forwarding at the "Fedora" box...which I am now assuming is reachable from the internet?
And, did your outbound issue happen after you made some changes?
On 03/19/2012 02:52 AM, Ed Greshko wrote:
On 03/19/2012 05:42 PM, Mike Dwiggins wrote:
It started as trying to access inbound for the two ports in question. It has now morphed into connecting either way on anything. I am about to the point that I am going to start saving website and Apache configs and rebuild the darn server!
You didn't say it specifically, but is doing a cursory search about the ports you mention would I be correct in thinking you want to place your DirecTV DVR on the network such that you can get access to it via something like their Android app? But, there is a "Fedora Server" between your ISP router and the DVR?
If that is the case, then you would have had to set up port forwarding at the "Fedora" box...which I am now assuming is reachable from the internet?
And, did your outbound issue happen after you made some changes?
Good summation. I also did not think I had made any changes at all but somehow I must have inadvertently done so. The point being that I do not know what if any changes I may have stumbled into!
On 03/20/2012 01:56 AM, Mike Dwiggins wrote:
Good summation. I also did not think I had made any changes at all but somehow I must have inadvertently done so. The point being that I do not know what if any changes I may have stumbled into!
For the case of not being able to access the internet from another system behind the "Fedora Server".
On the server, can you show the output of "netstat -nr" as well as "cat /proc/sys/net/ipv4/ip_forward"?
On 03/19/2012 02:47 PM, Ed Greshko wrote:
On 03/20/2012 01:56 AM, Mike Dwiggins wrote:
Good summation. I also did not think I had made any changes at all but somehow I must have inadvertently done so. The point being that I do not know what if any changes I may have stumbled into!
For the case of not being able to access the internet from another system behind the "Fedora Server".
On the server, can you show the output of "netstat -nr" as well as "cat /proc/sys/net/ipv4/ip_forward"?
Have not gotten off of this question, my company just put me on the road for over a week.
netstat -wr
Destination Gateway Genmask Flags mss window irtt Iface my.ip.add.0 0.0.0.0 255.255.255.0 U 0 0 0 0 Eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 0 Eth1 0.0.0.0 my.ip.add.0 255.255.255.0 U 0 0 0 0 Eth0
cat /proc/sys/net/ipv4/ip-forward
1
Thats how it reads.
Mike D
On 03/30/2012 02:58 PM, Mike Dwiggins wrote:
On 03/19/2012 02:47 PM, Ed Greshko wrote:
On 03/20/2012 01:56 AM, Mike Dwiggins wrote:
Good summation. I also did not think I had made any changes at all but somehow I must have inadvertently done so. The point being that I do not know what if any changes I may have stumbled into!
For the case of not being able to access the internet from another system behind the "Fedora Server".
On the server, can you show the output of "netstat -nr" as well as "cat /proc/sys/net/ipv4/ip_forward"?
Have not gotten off of this question, my company just put me on the road for over a week.
netstat -wr
Destination Gateway Genmask Flags mss window irtt Iface my.ip.add.0 0.0.0.0 255.255.255.0 U 0 0 0 0 Eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 0 Eth1 0.0.0.0 my.ip.add.0 255.255.255.0 U 0 0 0 0 Eth0
cat /proc/sys/net/ipv4/ip-forward
1
Thats how it reads.
So.... You have 2 exact duplicates of my.ip.add.0?
Destination of 0.0.0.0 is the "default" route. It should have an actual IP address and a Genmask of 0.0.0.0 .
Here is mine....
Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.242.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1 211.75.128.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.190.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8 0.0.0.0 211.75.128.254 0.0.0.0 UG 0 0 0 eth0
I don't obfuscate my IP addresses....it doesn't make sense to do that....
On 03/30/2012 12:16 AM, Ed Greshko wrote:
On 03/30/2012 02:58 PM, Mike Dwiggins wrote:
On 03/19/2012 02:47 PM, Ed Greshko wrote:
On 03/20/2012 01:56 AM, Mike Dwiggins wrote:
Good summation. I also did not think I had made any changes at all but somehow I must have inadvertently done so. The point being that I do not know what if any changes I may have stumbled into!
For the case of not being able to access the internet from another system behind the "Fedora Server".
On the server, can you show the output of "netstat -nr" as well as "cat /proc/sys/net/ipv4/ip_forward"?
Have not gotten off of this question, my company just put me on the road for over a week.
netstat -wr
Destination Gateway Genmask Flags mss window irtt Iface my.ip.add.0 0.0.0.0 255.255.255.0 U 0 0 0 0 Eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 0 Eth1 0.0.0.0 my.ip.add.0 255.255.255.0 U 0 0 0 0 Eth0
cat /proc/sys/net/ipv4/ip-forward
1
Thats how it reads.
So.... You have 2 exact duplicates of my.ip.add.0?
Destination of 0.0.0.0 is the "default" route. It should have an actual IP address and a Genmask of 0.0.0.0 .
Here is mine....
Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.242.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1 211.75.128.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.190.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8 0.0.0.0 211.75.128.254 0.0.0.0 UG 0 0 0 eth0
I don't obfuscate my IP addresses....it doesn't make sense to do that....
I will check when I get home in the morning. I hide the IP due to a STUPID company security policy!
Mike D.
On Fri, 2012-03-30 at 00:58 -0700, Mike Dwiggins wrote:
I hide the IP due to a STUPID company security policy!
Which, unless you post through an anonymiser, is showing in your message headers on each and every email that you send, anyway. Have a look through your message headers, and you'll see.
On 03/30/2012 03:58 PM, Mike Dwiggins wrote:
I will check when I get home in the morning. I hide the IP due to a STUPID company security policy!
One other thing....
I think I can assume that your eth0 interface is your Internet facing interface and that it has an assigned IP address from your ISP. Also, your eth1 interface is a "private" IP address range and not route-able on the Internet. So, you also need to have NAT configured to make things work for hosts on the eth1 LAN to route their traffic through this box.
You do have that NAT up, yes?
On 03/30/2012 09:05 AM, Tim wrote:
On Fri, 2012-03-30 at 00:58 -0700, Mike Dwiggins wrote:
I hide the IP due to a STUPID company security policy!
Which, unless you post through an anonymiser, is showing in your message headers on each and every email that you send, anyway. Have a look through your message headers, and you'll see.
Yeah, I know. Why do you think I capped stupid. Strictly done by an IDIOT lawyer (BIRM).
Mike D
On 03/30/2012 07:25 PM, Ed Greshko wrote:
On 03/30/2012 03:58 PM, Mike Dwiggins wrote:
I will check when I get home in the morning. I hide the IP due to a STUPID company security policy!
One other thing....
I think I can assume that your eth0 interface is your Internet facing interface and that it has an assigned IP address from your ISP. Also, your eth1 interface is a "private" IP address range and not route-able on the Internet. So, you also need to have NAT configured to make things work for hosts on the eth1 LAN to route their traffic through this box.
You do have that NAT up, yes?
Yes, NAT works quite well.
On 03/31/2012 11:23 AM, Mike Dwiggins wrote:
On 03/30/2012 07:25 PM, Ed Greshko wrote:
On 03/30/2012 03:58 PM, Mike Dwiggins wrote:
I will check when I get home in the morning. I hide the IP due to a STUPID company security policy!
One other thing....
I think I can assume that your eth0 interface is your Internet facing interface and that it has an assigned IP address from your ISP. Also, your eth1 interface is a "private" IP address range and not route-able on the Internet. So, you also need to have NAT configured to make things work for hosts on the eth1 LAN to route their traffic through this box.
You do have that NAT up, yes?
Yes, NAT works quite well.
OK, then it looks to me that the only thing missing is a properly defined "default route".
On Fri, 2012-03-30 at 20:21 -0700, Mike Dwiggins wrote:
Yeah, I know. Why do you think I capped stupid. Strictly done by an IDIOT lawyer (BIRM).
Well, if you do need to provide IP information for debugging, despite that, you've now let people know that they can use your headers. ;-)
Some people do post through anonymisers, or post through another computer, so you can't use mail headers to determine IPs, or which OS or software are a part of their problem.
On 03/31/2012 03:04 AM, Tim wrote:
On Fri, 2012-03-30 at 20:21 -0700, Mike Dwiggins wrote:
Yeah, I know. Why do you think I capped stupid. Strictly done by an IDIOT lawyer (BIRM).
Well, if you do need to provide IP information for debugging, despite that, you've now let people know that they can use your headers. ;-)
Some people do post through anonymisers, or post through another computer, so you can't use mail headers to determine IPs, or which OS or software are a part of their problem.
You may guess that I don't really care :). Next week I will have a pipe into the house not associated with my work at which point I could care less. Work is selling their access business!
On 3/31/2012 6:46 AM, Ed Greshko wrote:
On 03/31/2012 11:23 AM, Mike Dwiggins wrote:
Yes, NAT works quite well.
So, have you been able to work out the problem? Not clear that you've made any progress.....
With the surge at work right now I have not really had much of a chance to try anything. I have a work around in place via another device so one more hour sleep is much more important right now.
This one will back burner for a couple of days as weekends are our surge period for this work project.
Mike D
On 04/01/2012 05:51 AM, Mike Dwiggins wrote:
With the surge at work right now I have not really had much of a chance to try anything. I have a work around in place via another device so one more hour sleep is much more important right now.
This one will back burner for a couple of days as weekends are our surge period for this work project.
Well, I certainly hope that when you do find the time I'll remember what had transpired. :-) I only keep 7 days of mailing list messages.
-
Ed Greshko -
mike -
Peter Larsen -
Tim