# how does an ISP block ports?

## Monkeywrench

Title explains. The web site for my ISP (bellsouth) says that they don't allow customers to run servers (at least for my service plan). I'm just wondering how this works. Is it just port blocking of /all/ ports? Is there a way to get around it?

More on the technical side: does the ISP just block all SYN requests to my computer? That would explain why I can upload information, send files over AIM/IRC/whatever, and stuff like that.

Thanks for the help

----------

## bk0

They usually don't block ports outright (except maybe TCP port 25), they just monitor customers for "unusual" incoming traffic. If they detect anything they'll terminate your service or make you pay for their more expensive business-class plans.

The solution is to run your services on random non-standard ports and keep the traffic to a minimum. You might get caught anyway depending on how anal they are.

----------

## mirko_3

AFAIK, they simply block some ports... For example, my ISP (Tiscali) is blocking port 25, and no nmap scan can detect the postfix service that is running there  :Sad: 

----------

## nielchiano

 *mirko_3 wrote:*   

> my ISP (Tiscali) is blocking port 25

 

and they're damn right to do so... unless you want to promote spam...

Yes, I know, YOUR server probabely well be secured by at least an IP-range-restriction, won't allow relaying and REQUIRES you to use TLS AND login; but most mail-servers aren't that restrictive and can easily be used to send SPAM all over the place. And guess at which address the dept. of justice is going to be? yep, yours, since YOU send that mail.

----------

## mirko_3

Yeah, I know, I'm not saying they're wrong or anything... just an example. And, I believe they don't block SYN packets, but all traffic to *:25...

----------

## nielchiano

 *mirko_3 wrote:*   

> I believe they don't block SYN packets, but all traffic to *:25...

 

Doesn't matter, If they block SYN's to TCP/25, everything else won't get through either, since you can't setup a connection... that's the nice thing about TCP... if you block the very first SYN packet, you are effectively blocking the connection.

Yeah sure you can send UDP-like packets to that TCP port, but no mail client will do so

----------

## zerojay

I don't believe that Bellsouth blocks any ports at the moment. Almost all ISPs say that you are not allowed to run servers on your connection but are not active about enforcing it unless you become a huge bandwidth drain. By the way, BitTorrent does count as a server.

----------

## Monkeywrench

Curious. I've spent quite a few afternoons trying to set up an http server... I was thinking it was something wrong with my modem/router config, but then I read somewhere that Bellsouth doesn't allow servers. I tried having the server on port 80 as well as 8000...

----------

## zerojay

 *Monkeywrench wrote:*   

> Curious. I've spent quite a few afternoons trying to set up an http server... I was thinking it was something wrong with my modem/router config, but then I read somewhere that Bellsouth doesn't allow servers. I tried having the server on port 80 as well as 8000...

 

Like I said, almost all ISPs disallow servers, but not that many actually block the ports for them. Try running Apache on some strange port number like 65121 and see if it's accessable. Make sure the port number is a part of the URL you give your browser as well.

----------

## Monkeywrench

Okay, maybe I'm missing something huge here. Just in case, I'll post exactly what i've done to try to setup a server:

1) Both my DSL modem (Wirespeed) and D-Link Wireless router are routers. (Yes, stupidity on my part). I've read to avoid issues, I should select "Bridged Ethernet" for the modem via the http configuration interface (192.168.1.254). I've done that. Now, 192.168.1.254 doesn't lead me anywhere, which is normal behavior as I understand, and my D-link now has the responsibility of the PPPoE connection. It's doing this correctly.

2) I've tried to set open a port to test a server with on the D-link's firewall config page. I was unsure if I was doing it right, so I scrapped the rule and just decided to put the computer that will be acting as a server (192.168.0.100) on the DMZ so access to it wouldn't be filtered.

3) I use gnump3d as an ogg vorbis server for my LAN. So I set the config to allow all IPs to connect, not just 192.168.0.*. I set the port to 3388. Keep in mind, gnump3d is running on 192.168.0.100. Now, I can connect to 192.168.0.100:3388 without any issues. But when I substitute 192.168.0.100 with my external IP address, nothing happens.

4) As a test, I set the port number for gnump3d to 24. Then I ran nmap on my local machine. Port 24 showed up as open. Then, I ran nmap on my external IP. Port 80 and 8080 showed up as open (the http config interface).

Am I doing something horribly wrong?

Since we're already on the topic of my networking incompetence: here's another question. If my LAN has two computers, 192.168.0.100 and 192.168.0.101, and the external IP of the network is 66.66.66.66, what would happen if I ran two Apaches on port 80 of  both computers? More specifically, what would happen if I tried to connect with my browser to 66.66.66.66? Which computer would I connect to?

If you've read all of the above, kudos. If you can help me with any of the above..  :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## Boris27

Monkeywrench: You have to specifically tell your router what to do with incoming connections from the outside world. So you could say that all incoming over port 80 should go to your webserver. You can not specify 2 IP's listening behind port 80 (with a household router), so that dual webserver thingy is out.

----------

## Monkeywrench

Thanks for the reply boris. Here's what I've done:

1) Removed 192.168.0.100 from DMZ

2) Added the following rule to the D-link firewall:

Allow connections from WAN to LAN,192.168.0.100 on TCP port 8833. (I've emerged Boa to run on 8833. It's working correctly, since localhost:8833 takes me to the index.html page I setup.)

So now, when I paste my external IP address (68.220.138.181) into Firefox's address bar, I go to my D-link router config. When I paste in 68.220.138.181:8833, firefox just sits there trying to load a page, but nothing ever turns up.

By the way, I have no iptables rules set up.

 :Sad:  someone know what's up?

----------

## Monkeywrench

*bump* anyone?  :Sad: 

----------

## nukem996

Here is what happened to us. We use optonline for our cable ISP. We have had it for a very long time but all of the sudden one day we seemed to of slowed down. My dad and I both use bittorrent for various things, Knoppix, Doom III Demo, ect all legal things. When we called optonline they said they capped us(limited our upload/download rate) because we were running a server, this server was bittorrent. They didnt care it was legal it was still a server to them. The only way we can get around it is upgrade to the buiness level or turn the download off every 15min for 15min. Funny enough on my grandparents computer, which is on roadrunner cable, Ive been running an SSH server for about 6 months and using bittorrent there and nothing has happened yet.

----------

## xbmodder

ok this is what you need to do. get a shell somewhere i reccomend ct sqaure. read up on http tunnel! w00t!

----------

## Monkeywrench

 *xbmodder wrote:*   

> ok this is what you need to do. get a shell somewhere i reccomend ct sqaure. read up on http tunnel! w00t!

 

Um.. I'd much rather run it from my own box?

Anyone have any ideas?  :Sad: 

----------

## srlinuxx

 *DarkStalker wrote:*   

> I don't believe that Bellsouth blocks any ports at the moment. Almost all ISPs say that you are not allowed to run servers on your connection but are not active about enforcing it unless you become a huge bandwidth drain. By the way, BitTorrent does count as a server.

 

Yeah, they do.  I use bellsouth and had to upgrade to business accounts to use port 25.  Someone had given me a link to where they state they do that in order to cut down on spam, but I don't have it handy.  It's in one of my old threads of similar subject.  

But yeah, bellsouth blocks port 25 to residential accounts.   :Sad:   pisses me off...

----------

## duhblow7

an ISP cannot block all ports so they typically block the common ports, such as 21, 22, 25, 53, 80, 110, 139, etc.  Sometimes you can run your webserver (or any other service) on ports >1024 (or even better >50,000) and define the port on the client side.

A lot of ISP are blocking TCP outgoing connections on port 25 EXCEPT to the ISP's mail server.  Some other ISP's are routing all outgoing traffic on port 25 to their mail server, so even if you setup your own 3rd party SMTP server all traffic is routed back to the ISP.

Cox Internet and MSN are known to block outgoing port 25.

----------

## Pyroneus

what some ip's do is update your ip every 10 seconds or something which would make it hard to run a server for everyone to access.

----------

## Monkeywrench

 *Pyroneus wrote:*   

> what some ip's do is update your ip every 10 seconds or something which would make it hard to run a server for everyone to access.

 

Um.. Are you sure that happens? Wouldn't that mean connections to IRC would be severed every 10 seconds? All downloads would stop every 10 seconds? ...

Anyway. As I stated above, I was using port numbers like 8888 for boa, and no go. I'll try 50001, as soon as I fucking get boa to work again..

----------

## rex123

Maybe I've missed something obvious here, but...

You are working on a server running a service on port X. You can access that port locally (eg telnet localhost X).

You then set up a firewall/router so that access from a given external interface (a.b.c.d) gets directed to your server.

Now you try telnet a.b.c.d X from your server, and expect it to respond... but it doesn't.

You aren't actually testing the right thing - you should be testing by trying to make a connection from outside your network.

Also, you are thinking that your ISP is blocking the traffic, but your requests are completely local - and don't travel to your ISP at all.

Unless I'm badly mistaken, this is primarily a firewall setup issue, not an ISP issue.

----------

## Monkeywrench

Everything you assumed was correct. But now I'm confused... so you're saying that if I try to access 63.123.92.14:5000, assuming that 63.123.92.14 is my external IP, and 5000 is my port, my request doesn't actually ever get to my ISP? This is most curious...  :Sad: 

----------

## DaveArb

Most routers (all that I've used) block accessing their external port from their LAN side. In the case of Netgears at least, hitting its external IP from LAN brings up a login request for the router configuration.

Dave

----------

## Monkeywrench

Here:

```
Action     Name     Source     Destination     Protocol      

   Allow   elecherok   *,*   LAN,192.168.0.100   TCP,50000

   Deny    Default    *,*    LAN,*    IP (0),*    

   Allow    Default    LAN,*    *,*    IP (0),*
```

See? 192.168.0.100 is the internal IP of the web server. 50000 is the port it's open on. I can't move the rule up or down, so what could I possibly be doing wrong?  :Sad: 

Thanks to everone for continually trying to help me, though  :Smile:  *hugs community*

----------

## DaveArb

One of us isn't understanding the other's response...  :Wink: 

I hold in my hand a D-Link DI-604 (a wired router). Looking on the back, there's a "WAN" port, and four numbered ports that I'll refer to as "LAN". All connections to your wireless router are also "LAN" ports.

If the WAN port is configured as IP 66.67.68.69, and you are connected via any LAN port, accessing 66.67.68.69 will not work as expected. No matter how the "DMZ" settings are made, no matter what port. This is by design.

From outside your LAN, accessing 66.67.68.69 may or may not work, but from the LAN side it won't. I would bet a quarter on that.

Dave

----------

## Monkeywrench

Ah, yes there was some misunderstanding. Thanks, I'll try to figure this out.

Hm, would I be able to access the web server correctly if I connected through a proxy server with the browser?   :Embarassed: 

----------

## DaveArb

 *Monkeywrench wrote:*   

> Hm, would I be able to access the web server correctly if I connected through a proxy server with the browser?  

 

Where is the hypothetical proxy server? If outside your network, I don't see why it wouldn't. If inside, I would not expect it to.

If you are just trying to see if the server is accessible, can you just have a friend try to access it?

Dave

----------

## Monkeywrench

Dave, thanks a bunch. It works! It was like an epiphany, it was beautiful. I used an outisde proxy server to connect to my external IP, and it worked.

Thanks to everyone who helped me out here  :Smile: 

One more question remains though... how come I don't see my external IP the same way others do?

----------

## DaveArb

 *Monkeywrench wrote:*   

> how come I don't see my external IP the same way others do?

 

Glad it worked for you.

It's been a long time since I researched the actual reason routers work this way. If I recall correctly, it is part of the router loop detection routine that causes this. All router that I'm familiar with (including Linuxen operating as routers) exhibit this behavior.

Dave

----------

