Why you should read your ISP’s Custommers Conduct Code

The idea:

Install ConnectBot on my HTC Hero, connect to my home ssh server to hook up with my Screen session.
‘Why?’ you ask? Because we can!

The process:

  1. Create a DynDNS account
  2. Configure my router to automatically update the DynDNS service
  3. Set up the ssh daemon on my desktop
  4. Set up the screen session and configure irssi
  5. Forwarded the default ssh port (22) to my desktop PC which has a fixed IP
  6. Drink a coffee.
  7. Added the credentials needed to the ConnectBot’s configuration

The Result:

I turn off my phone’s WiFi so the phone switches autom. to the PROXIMUS 3G network.
I fire up the ConnectBot app and start the ssh connection to my foobar.dyndns.org location.
The phone gently points out that it’s trying to connect to the host.
After some nail-biting, it lets me know that the connection has timed-out.

So far : Fail!

So now I have to search for the cause of  this connection timeout.
First I fire up the inbound log of my router which doesn’t show ma any blocked requests from my phone’s IP.
But there are as many traces of an accepted connection , but I overlooked that as I was looking for where it was stopped.
So I started to monitor the log files on my desktop.

tail -f /var/log/messages
tail -f /var/log/auth.log

As I try to make new connections from my phone with different settings in ConnectBot (eg. optimize for slow connections), I can’t find anything in the log-files.
I start to adjust the /etc/ssh/sshd_config time-out settings and reverse DNS lookups as I suspect a too slow connection to be the problem.
To verify the settings of ConnectBot I try to log in over the WiFi and this worked just fine. Also in the log files there is nothing suspicious that shows up.

I setted up a VPN connection to the HoGent and try to create an SSL connection back. Also this one fails.
So far the options I have to test my setup from the WAN side… A phone and a VPN connection to a place I don’t even know if it lets my SSH request trough.

So I call a friend to try and make a connection to my desktop and be surprised, it worked!
Then I turn to the #Ubuntu-be channel  on Freenode to ask them if they could try to make a connection.
What seems, they can’t connect.

So some people can connect from the WAN site and some others can’t…. strange.
Then all of a sudden, someone from the IRC channel points out that Telenet (my ISP) blocks all inbound ports < 1024 from other networks (eg. non-Telenet-cliënts).
They explain so on this page (in Dutch).
I took the liberty to translate it shamelessly in google translate and post the output here:

The Internet has long not limited to surfing and e-mail. Every day new applications appear that new demands not only your computer but also to the Telenet network. The service provides Telenet is a best effort service which means that sometimes made choices which applications or not supported.

The applications which Telenet focuses its support;
– E-mail (POP / SMTP)
– Web browsing (http)
– FTP
– IRC
– Usenet

In addition, Telenet including the security of the network and a number of users? Ports? completed on the network. On the residential product range of Telenet Internet, all incoming ports closed in 1024. Outgoing port 25 (SMTP) closed. There are still some specific ports closed for security reasons. As new applications, threats, viruses, worms edm. emerging Telenet wants his policies at all times to match these new developments.

So far the freedom on the internet… when you’re connected over Telenet’s services.

Solution:

I changed the port where SSH is listening on to some bigger than 1023, adjusted my settings in ConnectBot and it fired it up.
Guess what, It worked!

Conclusion:

I’ve been spilling 4 hours on something because I didn’t  read my ISP’s conduct. 🙁

Leave a Reply

Your email address will not be published. Required fields are marked *