Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Support bacteria -- it's the only culture some people have!


computers / comp.os.linux.networking / Re: incoming ssh blocked by ISP

SubjectAuthor
* incoming ssh blocked by ISPBob Tennent
+* Re: incoming ssh blocked by ISPLew Pitcher
|+* Re: incoming ssh blocked by ISPBob Tennent
||+* Re: incoming ssh blocked by ISPLew Pitcher
|||+* Re: incoming ssh blocked by ISPCarlos E. R.
||||`* Re: incoming ssh blocked by ISPDavid W. Hodgins
|||| `- Re: incoming ssh blocked by ISPCarlos E. R.
|||+- Re: incoming ssh blocked by ISPWilliam Unruh
|||`- Re: incoming ssh blocked by ISPMarco Moock
||+* Re: incoming ssh blocked by ISPDavid W. Hodgins
|||`* Re: incoming ssh blocked by ISPDavid W. Hodgins
||| `* Re: incoming ssh blocked by ISPBob Tennent
|||  `* Re: incoming ssh blocked by ISPBob Tennent
|||   +* Re: incoming ssh blocked by ISPDavid W. Hodgins
|||   |`- Re: incoming ssh blocked by ISPAnt
|||   `* Re: incoming ssh blocked by ISPBob Tennent
|||    `* Re: incoming ssh blocked by ISPDavid W. Hodgins
|||     `- Re: incoming ssh blocked by ISPBit Twister
||`- Re: incoming ssh blocked by ISPWilliam Unruh
|`* Re: incoming ssh blocked by ISPCarlos E. R.
| `- Re: incoming ssh blocked by ISPDan Purgert
+- Re: incoming ssh blocked by ISPDavid W. Hodgins
+- Re: incoming ssh blocked by ISPPascal Hambourg
+* Re: incoming ssh blocked by ISPMarco Moock
|`* Re: incoming ssh blocked by ISPWilliam Unruh
| `* Re: incoming ssh blocked by ISPBob Tennent
|  +* Re: incoming ssh blocked by ISPCarlos E. R.
|  |`- Re: incoming ssh blocked by ISPCarlos E. R.
|  +* Re: incoming ssh blocked by ISPPascal Hambourg
|  |`* Re: incoming ssh blocked by ISPCarlos E. R.
|  | `- Re: incoming ssh blocked by ISPPascal Hambourg
|  `* Re: incoming ssh blocked by ISPMarco Moock
|   `* Re: incoming ssh blocked by ISPPascal Hambourg
|    `- Re: incoming ssh blocked by ISPMarco Moock
`* Re: incoming ssh blocked by ISPJoe Beanfish
 `* Re: incoming ssh blocked by ISPBob Tennent
  +- Re: incoming ssh blocked by ISPMarco Moock
  +* Re: incoming ssh blocked by ISPDavid W. Hodgins
  |`* Re: incoming ssh blocked by ISPBob Tennent
  | `* Re: incoming ssh blocked by ISPDavid W. Hodgins
  |  `* Re: incoming ssh blocked by ISPBob Tennent
  |   `* Re: incoming ssh blocked by ISPDavid W. Hodgins
  |    `* Re: incoming ssh blocked by ISPAnt
  |     `- Re: incoming ssh blocked by ISPWilliam Unruh
  `- Re: incoming ssh blocked by ISPAnt

Pages:12
incoming ssh blocked by ISP

<sm66vk$hvp$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=219&group=comp.os.linux.networking#219

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: rdtenn...@tennent.ca (Bob Tennent)
Newsgroups: comp.os.linux.networking
Subject: incoming ssh blocked by ISP
Date: Sat, 6 Nov 2021 15:28:52 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 9
Message-ID: <sm66vk$hvp$1@dont-email.me>
Reply-To: rdtennent@gmail.com
Injection-Date: Sat, 6 Nov 2021 15:28:52 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="31ef49ca1ca33e245084e50af503f6b7";
logging-data="18425"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19tPY3FdW1ghfFOUfXYV0unbO+E1gzv7pw="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:9Ev8EyNxiUEWdLHj0ixzufdZucc=
 by: Bob Tennent - Sat, 6 Nov 2021 15:28 UTC

Outgoing ssh works fine and sshd is active. It's not my
firewall and I use ddclient and zoneedit.com to deal with my
dynamic IP address.

When I complain to Support at my ISP I'm told to pay for a
static IP address. Is there any other solution? I'm not a
networking expert. I do have login access to a server with a
static IP address but it's not the system I'm trying to ssh
into.

Re: incoming ssh blocked by ISP

<sm6af0$sst$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=220&group=comp.os.linux.networking#220

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: lew.pitc...@digitalfreehold.ca (Lew Pitcher)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sat, 6 Nov 2021 16:28:16 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 48
Message-ID: <sm6af0$sst$1@dont-email.me>
References: <sm66vk$hvp$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 6 Nov 2021 16:28:16 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="2619566a0696d58d6d197970234a52bd";
logging-data="29597"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18oTkNfRxyhQoNwmPRMWSF+CLyXshggym0="
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508
git://git.gnome.org/pan2)
Cancel-Lock: sha1:JXdvpwsVPcbmMZ5py7bA7RYAtHU=
 by: Lew Pitcher - Sat, 6 Nov 2021 16:28 UTC

On Sat, 06 Nov 2021 15:28:52 +0000, Bob Tennent wrote:

> Outgoing ssh works fine and sshd is active. It's not my
> firewall and I use ddclient and zoneedit.com to deal with my
> dynamic IP address.
>
> When I complain to Support at my ISP I'm told to pay for a
> static IP address. Is there any other solution?

ISPs sell "internet connectivity" to clients, and most consumer-
grade ISPs block datagrams coming from the internet to certain
well-known ports, often either because they "represent a security
exposure" to the client, or because the ISP would like to gain
an additional income from "power users" by up-selling them on
internet connectivity that they do not deliberately block.

It sounds like your ISP falls into that second category.

Outside of capitulating to the ISP's up-selling requirement,
or changing your ISP to one that does not block incoming SSH,
the only reliable way I can think of to bypass your ISP's
block is to change the port on which you listen for SSH connections.

While TCP and UDP port 22 are officially used for incoming SSH
connections, you /can/, through your ssh server's configuration,
change that port to any other value. If you choose a port number
that your ISP does /not/ block, then your SSH server will accept
incoming connections.

Of course, this means that you must instruct your outside SSH
client to use that port as well.

For the OpenSSH ssh server daemon, you would specify the new
port as part of the sshd_config(5) "ListenAddress" directive or
specify the "-p <portnumber>" option to in the sshd(1) command.

For the OpenSSH ssh client program, you would specify the
same port in the "-p <portnumber>" option of the ssh(1) command.

> I'm not a
> networking expert. I do have login access to a server with a
> static IP address but it's not the system I'm trying to ssh
> into.

HTH
--
Lew Pitcher
"In Skills, We Trust"

Re: incoming ssh blocked by ISP

<op.1cf56fu9a3w0dxdave@hodgins.homeip.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=221&group=comp.os.linux.networking#221

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dwhodg...@nomail.afraid.org (David W. Hodgins)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sat, 06 Nov 2021 13:43:17 -0400
Organization: A noiseless patient Spider
Lines: 19
Message-ID: <op.1cf56fu9a3w0dxdave@hodgins.homeip.net>
References: <sm66vk$hvp$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
Content-Transfer-Encoding: 8bit
Injection-Info: reader02.eternal-september.org; posting-host="369ff327d4b770883449d423b09fdd45";
logging-data="15602"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+VTLbQUBsGsOhnZzjxY0hetgkX86LI8jY="
User-Agent: Opera Mail/12.16 (Linux)
Cancel-Lock: sha1:H0CoRVNI2+mBGMM7NrRxDhKLCLI=
 by: David W. Hodgins - Sat, 6 Nov 2021 17:43 UTC

On Sat, 06 Nov 2021 11:28:52 -0400, Bob Tennent <rdtennent@tennent.ca> wrote:

> Outgoing ssh works fine and sshd is active. It's not my
> firewall and I use ddclient and zoneedit.com to deal with my
> dynamic IP address.
>
> When I complain to Support at my ISP I'm told to pay for a
> static IP address. Is there any other solution? I'm not a
> networking expert. I do have login access to a server with a
> static IP address but it's not the system I'm trying to ssh
> into.

Don't use port 22. Even if it's not blocked and you use keys only, not passwords,
all of the failed brute force attempts may fill the file system containing the logs.

In /etc/ssh/sshd_config specify a port such as Port 49775, then use that port
number when connecting, "ssh -p 49775 whatever.hostname".

Regards, Dave Hodgins

Re: incoming ssh blocked by ISP

<6186c6e7$0$8902$426a34cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=222&group=comp.os.linux.networking#222

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!212.27.60.64.MISMATCH!cleanfeed3-b.proxad.net!nnrp1-1.free.fr!not-for-mail
Subject: Re: incoming ssh blocked by ISP
Newsgroups: comp.os.linux.networking
References: <sm66vk$hvp$1@dont-email.me>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Sat, 6 Nov 2021 19:18:15 +0100
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <sm66vk$hvp$1@dont-email.me>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Lines: 1
Message-ID: <6186c6e7$0$8902$426a34cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 06 Nov 2021 19:18:15 CET
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1636222695 news-4.free.fr 8902 213.41.155.166:37512
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Sat, 6 Nov 2021 18:18 UTC

How do you know ?

Re: incoming ssh blocked by ISP

<20211106193516.286599e5@ryz>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=223&group=comp.os.linux.networking#223

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: inva...@invalid.invalid (Marco Moock)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sat, 6 Nov 2021 19:35:16 +0100
Organization: A noiseless patient Spider
Lines: 19
Message-ID: <20211106193516.286599e5@ryz>
References: <sm66vk$hvp$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="53a892af1180d72c94e7d5be80fd6651";
logging-data="6291"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+bfAjVcsray0GAcOdLHA62"
Cancel-Lock: sha1:OineMWQhSuRUrs0XXk66xKXaSlQ=
X-Newsreader: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
 by: Marco Moock - Sat, 6 Nov 2021 18:35 UTC

Am Sat, 6 Nov 2021 15:28:52 -0000 (UTC)
schrieb Bob Tennent <rdtennent@tennent.ca>:

> Outgoing ssh works fine and sshd is active. It's not my
> firewall and I use ddclient and zoneedit.com to deal with my
> dynamic IP address.
>
> When I complain to Support at my ISP I'm told to pay for a
> static IP address. Is there any other solution? I'm not a
> networking expert. I do have login access to a server with a
> static IP address but it's not the system I'm trying to ssh
> into.

Tell you ISP to disable it and if it doesn't don't pay them anymore
because they restrict your access to the internet. Internet access
means that you are also be able to establish TCP connections to your
computer. This is regardless if you get a static IPv4 address/IPv6 net
or dynamic ones.

Re: incoming ssh blocked by ISP

<sm6mi8$5ns$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=224&group=comp.os.linux.networking#224

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: unr...@invalid.ca (William Unruh)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sat, 6 Nov 2021 19:54:48 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 36
Message-ID: <sm6mi8$5ns$1@dont-email.me>
References: <sm66vk$hvp$1@dont-email.me> <20211106193516.286599e5@ryz>
Injection-Date: Sat, 6 Nov 2021 19:54:48 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="bf695325c2a3333b506e072a154b0e33";
logging-data="5884"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18H3oXI9VL9STngP5aOilYr"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:vlY9iW9Ed6qPwu1jEbcw5Wm8QRk=
 by: William Unruh - Sat, 6 Nov 2021 19:54 UTC

On 2021-11-06, Marco Moock <invalid@invalid.invalid> wrote:
> Am Sat, 6 Nov 2021 15:28:52 -0000 (UTC)
> schrieb Bob Tennent <rdtennent@tennent.ca>:
>
>> Outgoing ssh works fine and sshd is active. It's not my
>> firewall and I use ddclient and zoneedit.com to deal with my
>> dynamic IP address.
>>
>> When I complain to Support at my ISP I'm told to pay for a
>> static IP address. Is there any other solution? I'm not a
>> networking expert. I do have login access to a server with a
>> static IP address but it's not the system I'm trying to ssh
>> into.
>
> Tell you ISP to disable it and if it doesn't don't pay them anymore
> because they restrict your access to the internet. Internet access
> means that you are also be able to establish TCP connections to your
> computer. This is regardless if you get a static IPv4 address/IPv6 net
> or dynamic ones.
>

His post is woefully empty of facts, leading to all sorts of theories.

HIs theory is that the ISP is port blocking him.
His ISPs response has two possibilities-- that he is using a dynamic
adress and thus never knows what the IP address is of his machine. Or
that the ISP blocks most incoming ports on dynamic addresses. But not
static.

The above advice is pretty useless since the ISP will then simply block
all incoming abd outgoing ports (ie disconnect him), which will
accomplish what?

So the OP has to be a bit more forthcoming as what is happening.

Re: incoming ssh blocked by ISP

<sm6rf6$ann$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=225&group=comp.os.linux.networking#225

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: rdtenn...@tennent.ca (Bob Tennent)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sat, 6 Nov 2021 21:18:30 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 39
Message-ID: <sm6rf6$ann$1@dont-email.me>
References: <sm66vk$hvp$1@dont-email.me> <20211106193516.286599e5@ryz>
<sm6mi8$5ns$1@dont-email.me>
Reply-To: rdtennent@gmail.com
Injection-Date: Sat, 6 Nov 2021 21:18:30 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="31ef49ca1ca33e245084e50af503f6b7";
logging-data="10999"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18F2YiWPz0eue9AVHKhZYOYVaaPXuf673w="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:NWFg7ZKHIbB2zRxX2xVySZ+Wv70=
 by: Bob Tennent - Sat, 6 Nov 2021 21:18 UTC

On Sat, 6 Nov 2021 19:54:48 -0000 (UTC), William Unruh wrote:
> On 2021-11-06, Marco Moock <invalid@invalid.invalid> wrote:
>> Am Sat, 6 Nov 2021 15:28:52 -0000 (UTC)
>> schrieb Bob Tennent <rdtennent@tennent.ca>:
>>
>>> Outgoing ssh works fine and sshd is active. It's not my
>>> firewall and I use ddclient and zoneedit.com to deal with my
>>> dynamic IP address.
>>>
>>> When I complain to Support at my ISP I'm told to pay for a
>>> static IP address. Is there any other solution? I'm not a
>>> networking expert. I do have login access to a server with a
>>> static IP address but it's not the system I'm trying to ssh
>>> into.
>>
>> Tell you ISP to disable it and if it doesn't don't pay them anymore
>> because they restrict your access to the internet. Internet access
>> means that you are also be able to establish TCP connections to your
>> computer. This is regardless if you get a static IPv4 address/IPv6 net
>> or dynamic ones.
>>
>
> HIs theory is that the ISP is port blocking him.

Not my theory. The ISP is not allowing me to access the IP
address in any way. I believe they are using some sort of
NAT to conserve IP addresses.

> His ISPs response has two possibilities-- that he is
> using a dynamic adress and thus never knows what the IP
> address is of his machine.

I know what the IP address is by using checkip.dyndns.org
internally. But externally, that IP address is inaccessible,
even to pings.

> So the OP has to be a bit more forthcoming as what is happening.

What more can I say?

Re: incoming ssh blocked by ISP

<sm6sb6$kru$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=226&group=comp.os.linux.networking#226

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: rdtenn...@tennent.ca (Bob Tennent)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sat, 6 Nov 2021 21:33:27 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 26
Message-ID: <sm6sb6$kru$1@dont-email.me>
References: <sm66vk$hvp$1@dont-email.me> <sm6af0$sst$1@dont-email.me>
Reply-To: rdtennent@gmail.com
Injection-Date: Sat, 6 Nov 2021 21:33:27 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="31ef49ca1ca33e245084e50af503f6b7";
logging-data="21374"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19IDpgIMjof7psEQtqdcvL1uTUTfqy5wL4="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:QK/aIYM/nqwev8BnEYlku4gtmKQ=
 by: Bob Tennent - Sat, 6 Nov 2021 21:33 UTC

On Sat, 6 Nov 2021 16:28:16 -0000 (UTC), Lew Pitcher wrote:
> On Sat, 06 Nov 2021 15:28:52 +0000, Bob Tennent wrote:
>
>> Outgoing ssh works fine and sshd is active. It's not my
>> firewall and I use ddclient and zoneedit.com to deal with my
>> dynamic IP address.
>>
>> When I complain to Support at my ISP I'm told to pay for a
>> static IP address. Is there any other solution?
>
> ISPs sell "internet connectivity" to clients, and most consumer-
> grade ISPs block datagrams coming from the internet to certain
> well-known ports, often either because they "represent a security
> exposure" to the client, or because the ISP would like to gain
> an additional income from "power users" by up-selling them on
> internet connectivity that they do not deliberately block.
>
> It sounds like your ISP falls into that second category.
>
> Outside of capitulating to the ISP's up-selling requirement,
> or changing your ISP to one that does not block incoming SSH,
> the only reliable way I can think of to bypass your ISP's
> block is to change the port on which you listen for SSH connections.

That doesn't work. The ISP doesn't allow access of any sort
to the system.

Re: incoming ssh blocked by ISP

<5p9j5ixftj.ln2@minas-tirith.valinor>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=227&group=comp.os.linux.networking#227

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: robin_li...@es.invalid (Carlos E. R.)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sat, 6 Nov 2021 22:47:49 +0100
Lines: 22
Message-ID: <5p9j5ixftj.ln2@minas-tirith.valinor>
References: <sm66vk$hvp$1@dont-email.me> <20211106193516.286599e5@ryz>
<sm6mi8$5ns$1@dont-email.me> <sm6rf6$ann$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Trace: individual.net sQsusffNJ5c3OZH4x5L+nQVl8yBNejShjGF8WJ99Uxoi80ddWg
X-Orig-Path: minas-tirith.valinor!not-for-mail
Cancel-Lock: sha1:XCN7+3vd0iJV1hA03Jk3+w5a1DE=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.12.0
In-Reply-To: <sm6rf6$ann$1@dont-email.me>
Content-Language: en-CA
 by: Carlos E. R. - Sat, 6 Nov 2021 21:47 UTC

On 06/11/2021 22.18, Bob Tennent wrote:
> On Sat, 6 Nov 2021 19:54:48 -0000 (UTC), William Unruh wrote:
> > On 2021-11-06, Marco Moock <invalid@invalid.invalid> wrote:
> >> Am Sat, 6 Nov 2021 15:28:52 -0000 (UTC)
> >> schrieb Bob Tennent <rdtennent@tennent.ca>:

....

> > HIs theory is that the ISP is port blocking him.
>
> Not my theory. The ISP is not allowing me to access the IP
> address in any way. I believe they are using some sort of
> NAT to conserve IP addresses.

GNAT. That is not blocking, it is a limitation of the technology. Change
ISP or pay.

Look what it means in the wikipedia.

--
Cheers,
Carlos E.R.

Re: incoming ssh blocked by ISP

<ep9j5ixftj.ln2@minas-tirith.valinor>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=228&group=comp.os.linux.networking#228

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: robin_li...@es.invalid (Carlos E. R.)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sat, 6 Nov 2021 22:47:58 +0100
Lines: 37
Message-ID: <ep9j5ixftj.ln2@minas-tirith.valinor>
References: <sm66vk$hvp$1@dont-email.me> <sm6af0$sst$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Trace: individual.net 2pnKROsYOV3K06ki5cm/NguY7q1sM5sDd/WVIy3ilBbsyd7j1b
X-Orig-Path: minas-tirith.valinor!not-for-mail
Cancel-Lock: sha1:0GSS1e4lf2OSxc5HE1GcDcrUbwk=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.12.0
In-Reply-To: <sm6af0$sst$1@dont-email.me>
Content-Language: en-CA
 by: Carlos E. R. - Sat, 6 Nov 2021 21:47 UTC

On 06/11/2021 17.28, Lew Pitcher wrote:
> On Sat, 06 Nov 2021 15:28:52 +0000, Bob Tennent wrote:
>
>> Outgoing ssh works fine and sshd is active. It's not my
>> firewall and I use ddclient and zoneedit.com to deal with my
>> dynamic IP address.
>>
>> When I complain to Support at my ISP I'm told to pay for a
>> static IP address. Is there any other solution?
>
> ISPs sell "internet connectivity" to clients, and most consumer-
> grade ISPs block datagrams coming from the internet to certain
> well-known ports,

Here they don't. Not at all.

What some do is GNAT, though.

> often either because they "represent a security
> exposure" to the client, or because the ISP would like to gain
> an additional income from "power users" by up-selling them on
> internet connectivity that they do not deliberately block.
>
> It sounds like your ISP falls into that second category.
>
> Outside of capitulating to the ISP's up-selling requirement,
> or changing your ISP to one that does not block incoming SSH,
> the only reliable way I can think of to bypass your ISP's
> block is to change the port on which you listen for SSH connections.

Or reverse ssh. I can not describe, I have not used it. Or a tunnel to
some server out there.

--
Cheers,
Carlos E.R.

Re: incoming ssh blocked by ISP

<sm6tj9$sst$2@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=229&group=comp.os.linux.networking#229

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: lew.pitc...@digitalfreehold.ca (Lew Pitcher)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sat, 6 Nov 2021 21:54:50 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 40
Message-ID: <sm6tj9$sst$2@dont-email.me>
References: <sm66vk$hvp$1@dont-email.me> <sm6af0$sst$1@dont-email.me>
<sm6sb6$kru$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 6 Nov 2021 21:54:50 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="2619566a0696d58d6d197970234a52bd";
logging-data="29597"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/YaBvRl3ARLjwi4nTHjuW0YjhWMChMDso="
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508
git://git.gnome.org/pan2)
Cancel-Lock: sha1:inwL0txq67+CSFcRFfHoRFwgpxk=
 by: Lew Pitcher - Sat, 6 Nov 2021 21:54 UTC

On Sat, 06 Nov 2021 21:33:27 +0000, Bob Tennent wrote:

> On Sat, 6 Nov 2021 16:28:16 -0000 (UTC), Lew Pitcher wrote:
> > On Sat, 06 Nov 2021 15:28:52 +0000, Bob Tennent wrote:
> >
> >> Outgoing ssh works fine and sshd is active. It's not my
> >> firewall and I use ddclient and zoneedit.com to deal with my
> >> dynamic IP address.
> >>
> >> When I complain to Support at my ISP I'm told to pay for a
> >> static IP address. Is there any other solution?
> >
> > ISPs sell "internet connectivity" to clients, and most consumer-
> > grade ISPs block datagrams coming from the internet to certain
> > well-known ports, often either because they "represent a security
> > exposure" to the client, or because the ISP would like to gain
> > an additional income from "power users" by up-selling them on
> > internet connectivity that they do not deliberately block.
> >
> > It sounds like your ISP falls into that second category.
> >
> > Outside of capitulating to the ISP's up-selling requirement,
> > or changing your ISP to one that does not block incoming SSH,
> > the only reliable way I can think of to bypass your ISP's
> > block is to change the port on which you listen for SSH connections.
>
> That doesn't work. The ISP doesn't allow access of any sort
> to the system.

Nonsense. If your ISP blocks /all/ inbound ports, then your system is
effectively /not/ connected to the internet: both TCP and UDP require
that /some/ port be open on each side of the conversation.

However, if your ISP really "doesn't allow access of any sort to the
system", then what are you paying them for?

--
Lew Pitcher
"In Skills, We Trust"

Re: incoming ssh blocked by ISP

<op.1cghyouwa3w0dxdave@hodgins.homeip.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=230&group=comp.os.linux.networking#230

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dwhodg...@nomail.afraid.org (David W. Hodgins)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sat, 06 Nov 2021 17:57:50 -0400
Organization: A noiseless patient Spider
Lines: 10
Message-ID: <op.1cghyouwa3w0dxdave@hodgins.homeip.net>
References: <sm66vk$hvp$1@dont-email.me> <sm6af0$sst$1@dont-email.me>
<sm6sb6$kru$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
Content-Transfer-Encoding: 8bit
Injection-Info: reader02.eternal-september.org; posting-host="369ff327d4b770883449d423b09fdd45";
logging-data="2207"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/QdC4TkQR6VJOY84jr+VhpGIl/S55X4n8="
User-Agent: Opera Mail/12.16 (Linux)
Cancel-Lock: sha1:o5UNedemtjSbPOsYjnOFfZdaf1k=
 by: David W. Hodgins - Sat, 6 Nov 2021 21:57 UTC

On Sat, 06 Nov 2021 17:33:27 -0400, Bob Tennent <rdtennent@tennent.ca> wrote:
> That doesn't work. The ISP doesn't allow access of any sort
> to the system.

As long as one of the systems can access the other, use a reverse ssh proxy to
allow access in the other direction.

See http://www.harding.motd.ca/autossh/

Regards, Dave Hodgins

Re: incoming ssh blocked by ISP

<op.1cgh5ikqa3w0dxdave@hodgins.homeip.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=231&group=comp.os.linux.networking#231

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dwhodg...@nomail.afraid.org (David W. Hodgins)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sat, 06 Nov 2021 18:01:56 -0400
Organization: A noiseless patient Spider
Lines: 15
Message-ID: <op.1cgh5ikqa3w0dxdave@hodgins.homeip.net>
References: <sm66vk$hvp$1@dont-email.me> <sm6af0$sst$1@dont-email.me>
<sm6sb6$kru$1@dont-email.me> <op.1cghyouwa3w0dxdave@hodgins.homeip.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
Content-Transfer-Encoding: 8bit
Injection-Info: reader02.eternal-september.org; posting-host="369ff327d4b770883449d423b09fdd45";
logging-data="2207"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/xSkBOXsjfocNjEllhpEgCzZfIdixc9k4="
User-Agent: Opera Mail/12.16 (Linux)
Cancel-Lock: sha1:Y0BHnbvBFnc4PCD+A+x/FxVTOhI=
 by: David W. Hodgins - Sat, 6 Nov 2021 22:01 UTC

On Sat, 06 Nov 2021 17:57:50 -0400, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

> On Sat, 06 Nov 2021 17:33:27 -0400, Bob Tennent <rdtennent@tennent.ca> wrote:
>> That doesn't work. The ISP doesn't allow access of any sort
>> to the system.
>
> As long as one of the systems can access the other, use a reverse ssh proxy to
> allow access in the other direction.
>
> See http://www.harding.motd.ca/autossh/

Sorry, meant to also include
https://hobo.house/2016/06/20/fun-and-profit-with-reverse-ssh-tunnels-and-autossh/

Regards, Dave Hodgins

Re: incoming ssh blocked by ISP

<u9bj5ixpgk.ln2@minas-tirith.valinor>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=232&group=comp.os.linux.networking#232

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: robin_li...@es.invalid (Carlos E. R.)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sat, 6 Nov 2021 23:13:50 +0100
Lines: 47
Message-ID: <u9bj5ixpgk.ln2@minas-tirith.valinor>
References: <sm66vk$hvp$1@dont-email.me> <sm6af0$sst$1@dont-email.me>
<sm6sb6$kru$1@dont-email.me> <sm6tj9$sst$2@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Trace: individual.net jwFAnxyBBy0BlfFzU/4oJgvEz/7RxCS+zVzsXAGrd3K8BHGr9D
X-Orig-Path: minas-tirith.valinor!not-for-mail
Cancel-Lock: sha1:c1PpLhsVx6oEE4wnql2LIWye9tM=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.12.0
In-Reply-To: <sm6tj9$sst$2@dont-email.me>
Content-Language: en-CA
 by: Carlos E. R. - Sat, 6 Nov 2021 22:13 UTC

On 06/11/2021 22.54, Lew Pitcher wrote:
> On Sat, 06 Nov 2021 21:33:27 +0000, Bob Tennent wrote:
>
>> On Sat, 6 Nov 2021 16:28:16 -0000 (UTC), Lew Pitcher wrote:
>> > On Sat, 06 Nov 2021 15:28:52 +0000, Bob Tennent wrote:
>> >
>> >> Outgoing ssh works fine and sshd is active. It's not my
>> >> firewall and I use ddclient and zoneedit.com to deal with my
>> >> dynamic IP address.
>> >>
>> >> When I complain to Support at my ISP I'm told to pay for a
>> >> static IP address. Is there any other solution?
>> >
>> > ISPs sell "internet connectivity" to clients, and most consumer-
>> > grade ISPs block datagrams coming from the internet to certain
>> > well-known ports, often either because they "represent a security
>> > exposure" to the client, or because the ISP would like to gain
>> > an additional income from "power users" by up-selling them on
>> > internet connectivity that they do not deliberately block.
>> >
>> > It sounds like your ISP falls into that second category.
>> >
>> > Outside of capitulating to the ISP's up-selling requirement,
>> > or changing your ISP to one that does not block incoming SSH,
>> > the only reliable way I can think of to bypass your ISP's
>> > block is to change the port on which you listen for SSH connections.
>>
>> That doesn't work. The ISP doesn't allow access of any sort
>> to the system.
>
> Nonsense. If your ISP blocks /all/ inbound ports, then your system is
> effectively /not/ connected to the internet: both TCP and UDP require
> that /some/ port be open on each side of the conversation.

His ISP uses CGNAT. Sorry for the typo, not GNAT.

https://es.wikipedia.org/wiki/Carrier_Grade_NAT

>
> However, if your ISP really "doesn't allow access of any sort to the
> system", then what are you paying them for?

Cheap ISP. The one I use this instant does that as well.

--
Cheers,
Carlos E.R.

Re: incoming ssh blocked by ISP

<61870544$0$20283$426a74cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=233&group=comp.os.linux.networking#233

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!news.nntp4.net!news.gegeweb.eu!gegeweb.org!usenet-fr.net!proxad.net!feeder1-2.proxad.net!cleanfeed3-a.proxad.net!nnrp1-1.free.fr!not-for-mail
Subject: Re: incoming ssh blocked by ISP
Newsgroups: comp.os.linux.networking
References: <sm66vk$hvp$1@dont-email.me> <20211106193516.286599e5@ryz>
<sm6mi8$5ns$1@dont-email.me> <sm6rf6$ann$1@dont-email.me>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Sat, 6 Nov 2021 23:44:20 +0100
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <sm6rf6$ann$1@dont-email.me>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 15
Message-ID: <61870544$0$20283$426a74cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 06 Nov 2021 23:44:20 CET
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1636238660 news-1.free.fr 20283 213.41.155.166:41828
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Sat, 6 Nov 2021 22:44 UTC

Le 06/11/2021 à 22:18, Bob Tennent a écrit :
>
> Not my theory. The ISP is not allowing me to access the IP
> address in any way.

How do you know ? What tests did you do ?

> I believe they are using some sort of
> NAT to conserve IP addresses.

We do not care about your beliefs. We need facts.

> I know what the IP address is by using checkip.dyndns.org

The IP address of what device ?

Re: incoming ssh blocked by ISP

<3pdj5ixeul.ln2@minas-tirith.valinor>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=234&group=comp.os.linux.networking#234

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!4.us.feeder.erje.net!3.eu.feeder.erje.net!feeder.erje.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: robin_li...@es.invalid (Carlos E. R.)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sat, 6 Nov 2021 23:56:03 +0100
Lines: 32
Message-ID: <3pdj5ixeul.ln2@minas-tirith.valinor>
References: <sm66vk$hvp$1@dont-email.me> <20211106193516.286599e5@ryz>
<sm6mi8$5ns$1@dont-email.me> <sm6rf6$ann$1@dont-email.me>
<5p9j5ixftj.ln2@minas-tirith.valinor>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Trace: individual.net IJkdnIwcSqNErz4SKpGm4AkeEZRaW4gSKp2lsu7CSOQZDMXCQf
X-Orig-Path: minas-tirith.valinor!not-for-mail
Cancel-Lock: sha1:KWavSH5lxxof+X/enBbq9+e7U3Y=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.12.0
In-Reply-To: <5p9j5ixftj.ln2@minas-tirith.valinor>
Content-Language: en-CA
 by: Carlos E. R. - Sat, 6 Nov 2021 22:56 UTC

On 06/11/2021 22.47, Carlos E. R. wrote:
> On 06/11/2021 22.18, Bob Tennent wrote:
>> On Sat, 6 Nov 2021 19:54:48 -0000 (UTC), William Unruh wrote:
>> > On 2021-11-06, Marco Moock <invalid@invalid.invalid> wrote:
>> >> Am Sat, 6 Nov 2021 15:28:52 -0000 (UTC)
>> >> schrieb Bob Tennent <rdtennent@tennent.ca>:
>
> ...
>
>> > HIs theory is that the ISP is port blocking him.
>>
>> Not my theory. The ISP is not allowing me to access the IP
>> address in any way. I believe they are using some sort of
>> NAT to conserve IP addresses.
>
> GNAT. That is not blocking, it is a limitation of the technology. Change
> ISP or pay.
>
> Look what it means in the wikipedia.

CGNAT, sorry.

You might request your ISP to put you out of the CGNAT and give you
actual Internet service.

Or to put you on IPv6, which is another can of worms.

If they don't, switch ISP.

--
Cheers,
Carlos E.R.

Re: incoming ssh blocked by ISP

<cldj5ixeul.ln2@minas-tirith.valinor>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=235&group=comp.os.linux.networking#235

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: robin_li...@es.invalid (Carlos E. R.)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sat, 6 Nov 2021 23:54:04 +0100
Lines: 30
Message-ID: <cldj5ixeul.ln2@minas-tirith.valinor>
References: <sm66vk$hvp$1@dont-email.me> <20211106193516.286599e5@ryz>
<sm6mi8$5ns$1@dont-email.me> <sm6rf6$ann$1@dont-email.me>
<61870544$0$20283$426a74cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net bhh2LeMkW/sBfFSye0R3LAVnaNmx6s+yW4URY+h0h4a4Q+vC4+
X-Orig-Path: minas-tirith.valinor!not-for-mail
Cancel-Lock: sha1:9UC0OLzV+O+cprcfH4fss+DtxXM=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.12.0
In-Reply-To: <61870544$0$20283$426a74cc@news.free.fr>
Content-Language: en-CA
 by: Carlos E. R. - Sat, 6 Nov 2021 22:54 UTC

On 06/11/2021 23.44, Pascal Hambourg wrote:
> Le 06/11/2021 à 22:18, Bob Tennent a écrit :
>>
>> Not my theory. The ISP is not allowing me to access the IP
>> address in any way.
>
> How do you know ? What tests did you do ?
>
>> I believe they are using some sort of
>> NAT to conserve IP addresses.
>
> We do not care about your beliefs. We need facts.

That paragraph describes perfectly what CGNAT is, and the symptoms match
perfectly. It is impossible to connect to any client of that ISP, they
are on a 10.*.*.* network, behind a NATting router, which as you know,
is not routable and inaccessible from Internet.

He is telling facts, just not in recognizable words for geeks :-P

>
>> I know what the IP address is by using checkip.dyndns.org
>
> The IP address of what device ?

Unfortunately, not his actual IP.

--
Cheers,
Carlos E.R.

Re: incoming ssh blocked by ISP

<op.1cgllgeia3w0dxdave@hodgins.homeip.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=236&group=comp.os.linux.networking#236

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dwhodg...@nomail.afraid.org (David W. Hodgins)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sat, 06 Nov 2021 19:16:18 -0400
Organization: A noiseless patient Spider
Lines: 12
Message-ID: <op.1cgllgeia3w0dxdave@hodgins.homeip.net>
References: <sm66vk$hvp$1@dont-email.me> <sm6af0$sst$1@dont-email.me>
<sm6sb6$kru$1@dont-email.me> <sm6tj9$sst$2@dont-email.me>
<u9bj5ixpgk.ln2@minas-tirith.valinor>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
Content-Transfer-Encoding: 8bit
Injection-Info: reader02.eternal-september.org; posting-host="e4efc58bcff3dd165144623478595ef3";
logging-data="1815"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19yjankbp9Y0iQuLUifjoDHmFQriCakM8c="
User-Agent: Opera Mail/12.16 (Linux)
Cancel-Lock: sha1:EC9cDWzv6s34cjYTozu/eCRgEd4=
 by: David W. Hodgins - Sat, 6 Nov 2021 23:16 UTC

On Sat, 06 Nov 2021 18:13:50 -0400, Carlos E. R. <robin_listas@es.invalid> wrote:
> His ISP uses CGNAT. Sorry for the typo, not GNAT.
> https://es.wikipedia.org/wiki/Carrier_Grade_NAT
>> However, if your ISP really "doesn't allow access of any sort to the
>> system", then what are you paying them for?
> Cheap ISP. The one I use this instant does that as well.

Does ipv6 work on that system? If so, I'd expect the ipv6 address to be accessible.
The isp may still be blocking standard service ports up to 1024, but ports above
that should be accessible with ipv6.

Regards, Dave Hodgins

Re: incoming ssh blocked by ISP

<jmfj5ixehn.ln2@minas-tirith.valinor>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=237&group=comp.os.linux.networking#237

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: robin_li...@es.invalid (Carlos E. R.)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sun, 7 Nov 2021 00:28:51 +0100
Lines: 32
Message-ID: <jmfj5ixehn.ln2@minas-tirith.valinor>
References: <sm66vk$hvp$1@dont-email.me> <sm6af0$sst$1@dont-email.me>
<sm6sb6$kru$1@dont-email.me> <sm6tj9$sst$2@dont-email.me>
<u9bj5ixpgk.ln2@minas-tirith.valinor>
<op.1cgllgeia3w0dxdave@hodgins.homeip.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Trace: individual.net 5k6RIY/WMb5ESPNLHdbHnAf2ATm816Wb3xM0WYRLrwDk2CfBiy
X-Orig-Path: minas-tirith.valinor!not-for-mail
Cancel-Lock: sha1:hdDUcIrodE/c0pIAY9mvSdOIOWk=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.12.0
In-Reply-To: <op.1cgllgeia3w0dxdave@hodgins.homeip.net>
Content-Language: en-CA
 by: Carlos E. R. - Sat, 6 Nov 2021 23:28 UTC

On 07/11/2021 00.16, David W. Hodgins wrote:
> On Sat, 06 Nov 2021 18:13:50 -0400, Carlos E. R.
> <robin_listas@es.invalid> wrote:
>> His ISP uses CGNAT. Sorry for the typo, not GNAT.
>> https://es.wikipedia.org/wiki/Carrier_Grade_NAT
>>> However, if your ISP really "doesn't allow access of any sort to the
>>> system", then what are you paying them for?
>> Cheap ISP. The one I use this instant does that as well.
>
> Does ipv6 work on that system? If so, I'd expect the ipv6 address to be
> accessible.
> The isp may still be blocking standard service ports up to 1024, but
> ports above
> that should be accessible with ipv6.

AFAIK, they are not blocking anything, they are just using CGNAT, which
simply makes impossible to connect from outside; same as it is
impossible to connect from internet to any normal home using a normal
router and normal NAT.

All the users of such an ISP are on LAN, not on Internet. Thus not
accessible.

The ISP does this simply because they do not have a large enough pool of
IPv4 addresses, they are impossible buy, they are extinct. But buying
billions of IPv6 addresses is easy and cheap. So, if the ISP wants to
provide IPv6 addresses, the problem is solved. As long as the sites the
customer wants to access or be accessed from also have IPv6.

--
Cheers,
Carlos E.R.

Re: incoming ssh blocked by ISP

<sm7bnj$i4u$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=238&group=comp.os.linux.networking#238

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: rdtenn...@tennent.ca (Bob Tennent)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sun, 7 Nov 2021 01:56:03 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 20
Message-ID: <sm7bnj$i4u$1@dont-email.me>
References: <sm66vk$hvp$1@dont-email.me> <sm6af0$sst$1@dont-email.me>
<sm6sb6$kru$1@dont-email.me> <op.1cghyouwa3w0dxdave@hodgins.homeip.net>
<op.1cgh5ikqa3w0dxdave@hodgins.homeip.net>
Reply-To: rdtennent@gmail.com
Injection-Date: Sun, 7 Nov 2021 01:56:03 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="4f9310a1ca0e949e965da0cddba3b408";
logging-data="18590"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19lOI6FjppuWbrjNOAtxub8kU3JNO9Wx5M="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:VFw7RhNJ7d4DshGDxaO/lFJ3BdU=
 by: Bob Tennent - Sun, 7 Nov 2021 01:56 UTC

On Sat, 06 Nov 2021 18:01:56 -0400, David W. Hodgins wrote:
> On Sat, 06 Nov 2021 17:57:50 -0400, David W. Hodgins
<dwhodgins@nomail.afraid.org> wrote:
>
>> On Sat, 06 Nov 2021 17:33:27 -0400, Bob Tennent
<rdtennent@tennent.ca> wrote:
>>> That doesn't work. The ISP doesn't allow access of any sort
>>> to the system.
>>
>> As long as one of the systems can access the other, use a
>> reverse ssh proxy to
>> allow access in the other direction.
>>
>> See http://www.harding.motd.ca/autossh/
>
> Sorry, meant to also include
> https://hobo.house/2016/06/20/
fun-and-profit-with-reverse-ssh-tunnels-and-autossh/

Thanks. This looks like it might be the solution.

Re: incoming ssh blocked by ISP

<sm7evl$378$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=239&group=comp.os.linux.networking#239

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: unr...@invalid.ca (William Unruh)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sun, 7 Nov 2021 02:51:33 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 45
Message-ID: <sm7evl$378$1@dont-email.me>
References: <sm66vk$hvp$1@dont-email.me> <sm6af0$sst$1@dont-email.me>
<sm6sb6$kru$1@dont-email.me>
Injection-Date: Sun, 7 Nov 2021 02:51:33 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="1d05608616c53c8fc97e5141b0d39902";
logging-data="3304"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18gyDbB+bndhh3Y0ivtqdFG"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:E0XcyZTCzJEYpEPEOjCZju6hfAs=
 by: William Unruh - Sun, 7 Nov 2021 02:51 UTC

On 2021-11-06, Bob Tennent <rdtennent@tennent.ca> wrote:
> On Sat, 6 Nov 2021 16:28:16 -0000 (UTC), Lew Pitcher wrote:
> > On Sat, 06 Nov 2021 15:28:52 +0000, Bob Tennent wrote:
> >
> >> Outgoing ssh works fine and sshd is active. It's not my
> >> firewall and I use ddclient and zoneedit.com to deal with my
> >> dynamic IP address.
> >>
> >> When I complain to Support at my ISP I'm told to pay for a
> >> static IP address. Is there any other solution?
> >
> > ISPs sell "internet connectivity" to clients, and most consumer-
> > grade ISPs block datagrams coming from the internet to certain
> > well-known ports, often either because they "represent a security
> > exposure" to the client, or because the ISP would like to gain
> > an additional income from "power users" by up-selling them on
> > internet connectivity that they do not deliberately block.
> >
> > It sounds like your ISP falls into that second category.
> >
> > Outside of capitulating to the ISP's up-selling requirement,
> > or changing your ISP to one that does not block incoming SSH,
> > the only reliable way I can think of to bypass your ISP's
> > block is to change the port on which you listen for SSH connections.
>
> That doesn't work. The ISP doesn't allow access of any sort
> to the system.

You said you do have another machine which you can reach from elsewhere.
You can run and ssh tunnel from your isolated machine to that other
machine. Then going into that other machine you can get to the isolated
one through the tunnel. It is an extra hop, but as mentioned there is
not way you can get to NATted machine from outside. The NAT router has
no way of knowing where to deliver the packets addressed to it.
But if you set up a tunnel, then it does since the tunnel has a NAT
address on the router for that ssh tunnel.

Look for example at autossh which you can start up when you boot up that
isolated machine.

Or you can use ssh itself to open up a tunnel from the isolated machine
to the accessible machine.

Re: incoming ssh blocked by ISP

<sm7fmd$378$2@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=240&group=comp.os.linux.networking#240

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: unr...@invalid.ca (William Unruh)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sun, 7 Nov 2021 03:03:41 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 54
Message-ID: <sm7fmd$378$2@dont-email.me>
References: <sm66vk$hvp$1@dont-email.me> <sm6af0$sst$1@dont-email.me>
<sm6sb6$kru$1@dont-email.me> <sm6tj9$sst$2@dont-email.me>
Injection-Date: Sun, 7 Nov 2021 03:03:41 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="1d05608616c53c8fc97e5141b0d39902";
logging-data="3304"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/ZC9fdneCg/IbcPGfYElHO"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:e8bkEpakrerA0SSx0Fv0DM9uq8M=
 by: William Unruh - Sun, 7 Nov 2021 03:03 UTC

On 2021-11-06, Lew Pitcher <lew.pitcher@digitalfreehold.ca> wrote:
> On Sat, 06 Nov 2021 21:33:27 +0000, Bob Tennent wrote:
>
>> On Sat, 6 Nov 2021 16:28:16 -0000 (UTC), Lew Pitcher wrote:
>> > On Sat, 06 Nov 2021 15:28:52 +0000, Bob Tennent wrote:
>> >
>> >> Outgoing ssh works fine and sshd is active. It's not my
>> >> firewall and I use ddclient and zoneedit.com to deal with my
>> >> dynamic IP address.
>> >>
>> >> When I complain to Support at my ISP I'm told to pay for a
>> >> static IP address. Is there any other solution?
>> >
>> > ISPs sell "internet connectivity" to clients, and most consumer-
>> > grade ISPs block datagrams coming from the internet to certain
>> > well-known ports, often either because they "represent a security
>> > exposure" to the client, or because the ISP would like to gain
>> > an additional income from "power users" by up-selling them on
>> > internet connectivity that they do not deliberately block.
>> >
>> > It sounds like your ISP falls into that second category.
>> >
>> > Outside of capitulating to the ISP's up-selling requirement,
>> > or changing your ISP to one that does not block incoming SSH,
>> > the only reliable way I can think of to bypass your ISP's
>> > block is to change the port on which you listen for SSH connections.
>>
>> That doesn't work. The ISP doesn't allow access of any sort
>> to the system.
>
> Nonsense. If your ISP blocks /all/ inbound ports, then your system is
> effectively /not/ connected to the internet: both TCP and UDP require
> that /some/ port be open on each side of the conversation.
>
> However, if your ISP really "doesn't allow access of any sort to the
> system", then what are you paying them for?
>

It is a NATted system. He has a local address of something like
10.5.23.199 The ISPs router than takes an outgoing packet addressed
say as orginating from 10.5.23.199 port 22 and translates that from
address as originating from the router's address (say 137.29.13.114) and
some random high port, say 22945. It keeps a tanslation table which says
if a packet comes to that port then send it out to the internal address
10.5.23.199 port 22.

That translation table keeps changing and thus there is no way that
anyone outside would know which port to send anything to. HOwever
external machines now how to replay to packets because the proper reply
address and port is part of the packet. Thus nothing independent can get
in, but the inside machines can connect to the outside.

>

Re: incoming ssh blocked by ISP

<6187974c$0$4981$426a34cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=241&group=comp.os.linux.networking#241

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!cleanfeed3-a.proxad.net!nnrp1-1.free.fr!not-for-mail
Subject: Re: incoming ssh blocked by ISP
Newsgroups: comp.os.linux.networking
References: <sm66vk$hvp$1@dont-email.me> <20211106193516.286599e5@ryz>
<sm6mi8$5ns$1@dont-email.me> <sm6rf6$ann$1@dont-email.me>
<61870544$0$20283$426a74cc@news.free.fr>
<cldj5ixeul.ln2@minas-tirith.valinor>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Sun, 7 Nov 2021 10:07:24 +0100
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <cldj5ixeul.ln2@minas-tirith.valinor>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 29
Message-ID: <6187974c$0$4981$426a34cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 07 Nov 2021 10:07:24 CET
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1636276044 news-4.free.fr 4981 213.41.155.166:36164
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Sun, 7 Nov 2021 09:07 UTC

Le 06/11/2021 à 23:54, Carlos E. R. a écrit :
> On 06/11/2021 23.44, Pascal Hambourg wrote:
>> Le 06/11/2021 à 22:18, Bob Tennent a écrit :
>>>
>>> Not my theory. The ISP is not allowing me to access the IP
>>> address in any way.
>>
>> How do you know ? What tests did you do ?
>>
>>> I believe they are using some sort of
>>> NAT to conserve IP addresses.
>>
>> We do not care about your beliefs. We need facts.
>
> That paragraph describes perfectly what CGNAT is

And other things too. CGNAT is only one possible explanation, like the
OP's own NAT router is not set up for port forwarding.

> and the symptoms match perfectly.

SymptomS ? All we have is one vague symptom "ISP does not allow access
to the IP address".

> It is impossible to connect to any client of that ISP, they
> are on a 10.*.*.* network, behind a NATting router

I did not see any mention of 10.*.*.* in this thread. Do you have
another information source ?

Re: incoming ssh blocked by ISP

<20211107102252.1595d91e@ryz>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=242&group=comp.os.linux.networking#242

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: inva...@invalid.invalid (Marco Moock)
Newsgroups: comp.os.linux.networking
Subject: Re: incoming ssh blocked by ISP
Date: Sun, 7 Nov 2021 10:22:52 +0100
Organization: A noiseless patient Spider
Lines: 11
Message-ID: <20211107102252.1595d91e@ryz>
References: <sm66vk$hvp$1@dont-email.me>
<20211106193516.286599e5@ryz>
<sm6mi8$5ns$1@dont-email.me>
<sm6rf6$ann$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="9b2a472476d0a018c7f5c23e6fc6ca21";
logging-data="32092"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/qdF8gSYr1Za9ToGhunTIm"
Cancel-Lock: sha1:b1mu2srsZcuB0V+DjmValH5Msr8=
X-Newsreader: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
 by: Marco Moock - Sun, 7 Nov 2021 09:22 UTC

Am Sat, 6 Nov 2021 21:18:30 -0000 (UTC)
schrieb Bob Tennent <rdtennent@tennent.ca>:

> Not my theory. The ISP is not allowing me to access the IP
> address in any way. I believe they are using some sort of
> NAT to conserve IP addresses.

Maybe CG-NAT or directly Dual-Stack lite where IPv4 is tunneled over
IPv6 and IPv4 uses NAT. If you have that you can't connect from the
outside by IPv4. Use IPv6 is possible.

Re: incoming ssh blocked by ISP

<6187a1bf$0$8890$426a34cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=243&group=comp.os.linux.networking#243

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!news.nntp4.net!news.gegeweb.eu!gegeweb.org!usenet-fr.net!proxad.net!feeder1-2.proxad.net!212.27.60.64.MISMATCH!cleanfeed3-b.proxad.net!nnrp1-1.free.fr!not-for-mail
Subject: Re: incoming ssh blocked by ISP
Newsgroups: comp.os.linux.networking
References: <sm66vk$hvp$1@dont-email.me> <20211106193516.286599e5@ryz>
<sm6mi8$5ns$1@dont-email.me> <sm6rf6$ann$1@dont-email.me>
<20211107102252.1595d91e@ryz>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Sun, 7 Nov 2021 10:51:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <20211107102252.1595d91e@ryz>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 6
Message-ID: <6187a1bf$0$8890$426a34cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 07 Nov 2021 10:51:59 CET
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1636278719 news-4.free.fr 8890 213.41.155.166:37034
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Sun, 7 Nov 2021 09:51 UTC

Le 07/11/2021 à 10:22, Marco Moock a écrit :
>
> Maybe CG-NAT or directly Dual-Stack lite where IPv4 is tunneled over
> IPv6 and IPv4 uses NAT.

How is that different from IPv4 CGNAT ?

Pages:12
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor