Firewall – identify a router that cuts certain port

firewallnetwork-protocolsnetworkingrouting

Is there a way to identify which particular router between me and some server blocks connections on certain port?

I am in a hotel in Thailand, where they have recently changed some settings in their equipment, and now I cannot reach any of my servers in Europe and USA by SSH / port 22. More traditional ports like 80 or 21 are open.

traceroute command shows each particular router in the middle. But is there a way to identify one that filters out port 22?

Best Answer

You could probably use tcptraceroute to see where it gets blocked:

$ sudo tcptraceroute ruminant.bitfolk.com 22
Selected device eth0, address 192.168.0.8, port 49071 for outgoing packets
Tracing the path to ruminant.bitfolk.com (85.119.82.121) on TCP port 22 (ssh), 30 hops max
 1  192.168.0.7  0.978 ms  0.556 ms  0.697 ms
 2  192.168.1.1  1.587 ms  1.667 ms  1.681 ms
 3  no-dns-yet-62-3-84-19.zen.co.uk (62.3.84.19)  27.635 ms  26.925 ms  27.658 ms
 4  ge-2-1-0-121.cr2.th-lon.zen.net.uk (62.3.84.213)  28.592 ms  27.971 ms  27.649 ms
 5  linx-gw-a.jump.net.uk (195.66.224.34)  28.614 ms  29.028 ms  63.603 ms
 6  president.bitfolk.com (85.119.80.16)  28.606 ms  28.039 ms  28.657 ms
 7  ruminant.bitfolk.com (85.119.82.121) [open]  28.594 ms  29.030 ms  28.671 ms

Related Solutions

Networking – How to Forward Port to Another IP/Port

You want to set up a VPN on one of your computers, and have the other one log into that one. That way they will appear to be on the same subnet, and have full access to each other without exposing vulnerable ports to the world.

A really good Open Source VPN is OpenVPN. I've only used the server under linux though, so I can't comment on how easy it is to set up on windows.

Another option is to flash your router with dd-wrt firmware. There is a version that includes an OpenVPN server, and would connect your entire network to his.

Firewall – Typical outbound port list for guest access

A general list of ports to open on "guest networks" which are relatively safe:

Outbound TCP:

53                  DNS unless you provide it (yes, TCP. Read the RFCs)
80, 443             Web Browsing
110, 995            EMail (pop3, pop3s)
143, 993            EMail (IMAP, IMAPS)
587                 EMail (SMTP Submission RFC 6409)

Outbound UDP:

53                  DNS again, unless you provide it
123                 NTP (Optional, but nice.)

Inbound TCP/UDP: NONE (Only established stateful connections from the above list)

As others have mentioned, bandwidth throttling may be a more effective way of dealing with torrenters.

As a non-technical measure to protect yourself from action (by your ISP or by copyright holders) you should also provide your renters with an acceptable internet use policy, noting that the renter's use of the internet access is their sole responsibility, illegal activity is not tolerated, and that violations of that policy will result in loss of internet access on this and all future visits.

There are template AUPs, but yours can be as simple or complex as you want, I recommend getting it down to one side of a regular sheet of paper.

Best Answer

Related Solutions

Networking – How to Forward Port to Another IP/Port

Firewall – Typical outbound port list for guest access

Related Topic