Getting around a firewall

[Ace69]

I am at a university that has recently put in a DHCP/firewall combo and we can no longer host games online. I don't know if it is because of the firewall or of the DHCP in which they give me some 10.x.x.x IP that no one on the 'net can see anyway. I talked to the sysadmin and he said that the firewall is made to stop any kind of server activity. I cannot run FTP, web or telnet servers at all. I have tried HTTptunnel, HTTPort, and Sock2HTTP. All of these did not work at all. Since we do not have a proxy, the HTTPort did not work. It was a good idea, but I could not seem to get it to work. I have even tried connecting to a public proxy and then trying to run my game server from there but to no avail. I play on the zone.com and when people try to connect to my computer it just seems like it blocks them from connecting. I have even tried to have them connect the the public IP that I obtained from the public proxy and it still did not work. Do you think that it is more of a firewall issue or do you think that the DHCP will not let us host because people cannot "see" my computer from the 'net? Can you give any suggestions on how to get around this firewall or the DHCP issue? If you can help, I would greatly appreciate it. My email is ace@risc.usi.edu if you guys think of something that is too long to post in here.

Thanks alot.

 

[EKwan]

Hello,

I'm sure the network experts in this Forum will explain in more detail, and please correct me if I'm wrong. From what I understand, a hardware based firewall is designed to block/allow access through ports. For example, the common port number for HTTP is 8080. Sysadmin can then configure the firewall to allow access through port number 8080 for users to browse the web. Basically, people can not connect to your computer because the firewall is blocking them. I guess, the only way around this is to ask your Sysadmin to configure the firewall to allow access through the port(s) you want. You might be out of luck if university policy only allows certain ports to be 'open' with the firewall.

Regards,
Edward

 

[Ace69]

From what I have learned the HTTP traffic port is 80. I may be wrong though. i thought that the apps like the programs that route TCP traffic through the port that the web traffic goes through would work, but I may have been doing it wrong. Also, if and when I get around the firewall, then I have the issue of giving myself a public IP suchas 192, 206.x.x.x etc. That is going to be a task also. I am determined to get around this little problem because I just want to know how to do it now, I really don't care about hosting online games anymore.

 

[Akash]

hey sorry bud but your at a dead end and a brick wall....

 

[Ace69]

I refuse to admit that I am at a dead end! I know that there has got to be some way to get pass this darn thing!!

 

[Agamar]

Well, firewalls are made to keep you in and others out. I would suggest finding out what type of firewall your college is using. Then, find out what proxy server they are running (they could be running a unix ipmasq?? maybe). In any event, your chances of actually getting out are fairly slim, but you can always try. Don't go around doing anything stupid though. If you break something, and they find out, they might decide to make an example out of you.

 

[CTR]

That firewall is for your protection and to reduce the University's liability risks. Did you sign anything that looked like an Acceptable Use Agreement? Beware the consequences!

With that being said: It doesn't sound like you are going to get people on the Internet through the firewall, and you should probably stop trying. Maybe you can get them in behind it.

 

[Mr-Mahem]

If you are getting a 10.x.x.x address then your firewall is doing NAT (Network Address Translation) - basically it's converting many IP addresses on the LAN into a single IP address on the internet.
Running any kind of server, or expecting anyone in the internet to connect to your machine is going to be imposible. This is before you even get to the firewall functionality which is DESIGNED to stop people on th einternet getting in!

Why is it impossible with NAT???
Put yourself in the NAT unit's position (probably in a dark cupboard ). If you get a connection frequest from the internet it will be pointing to the single IP address that is known on the internet... how do you know which of the 10's of IP addresses on the LAN to pass it to??? you don't... you drop the packet.

Sorry - my advice is to accept that sometimes there is no backdoor.

Mr-Mayhem

 

[FullMoon]

I installed a Cable/DSL router D-Link and I cant get low pings in the games. Prior to that, I had low pings always. I believe is that Firewall. When I want to play games I might have to go direct again.

 

[FullMoon]

I installed a Cable/DSL router D-Link and I cant get low pings in the games. Prior to that, I had low pings always. I believe is that Firewall. When I want to play games I might have to go direct again :Q

 

[EKwan]

Hello,

This is my personal experience. I work in a teaching hospital with more than a thousand users on our network. Hospital policy said the need against 'intrusions' into our network. My best friend is the one responsible for purchasing, configuring and maintaining the digital (hardware-based) firewall. One day, when we were downing a few pints of beer, I asked him if he can let network traffic through Port number 29760 (wink wink, Q3A) through the firewall. His reply was that there are network tools in place that constantly monitors the network traffic, especially the firewall. He and I will be sacked immediately (and no excuses accepted) if he allows any network traffic through other than the specified ports laid down by hospital policy.
The moral of the story is: Be very careful.

Regards,
Edward

 

[Ace69]

Thanks for all of the help guys. Unfortunately, I have known almost all of the information that you guys gave me. I guess I will just have to count my losses and just be forced to play on other people's games. :frown:

 

[Spiff]

<< Why is it impossible with NAT???
Put yourself in the NAT unit's position (probably in a dark cupboard ). If you get a connection frequest from the internet it will be pointing to the single IP address that is known on the internet... how do you know which of the 10's of IP addresses on the LAN to pass it to??? you don't... you drop the packet. >>



This statement is wrong.

The whole point of NAT is address translation. You don't lose the packets because of address translation... the packets are forwarded because of address translation. Ace69's issue is not address translation, it has to do with what is allowed to pass through the firewall.

Ace69, any decent Firewall at a minimum can be configured to deny/allow:

ports
IP address
types of packets
domains


If your network admins are half way decent at their job, you are not going to be able to run a server for access by external clients. Locally however, you can still host your game serveror whatever type of server. Provided there are no internal firewalls as well, the whole campus would have access.

 

[Ace69]

Thanks for the info, Spiff. We don't have an internal firewall, but I have no idea who is playing this game on campus. Is there anyway to find out who opens port 2346, that is the port that Rogue Spear uses. I know that I can do a Class A port scan on the IPs here on campus but that takes forever. Any ideas?

 

[namit23]

As far as I know, your university has used a router along with a firewall which does not give a real IP to every machine on the LAN but gives you a virtual IP i.e 10.xx.xx.x This IP address is only valid in your internal network and you cannot ping to this IP from anywhere outside the internal network. So now you all in the LAN are under one IP whereas previously you all had individual IP's.
Now the solution is that you change your router settings such that all requests on port 80 of the router are redirected to your IP address i.e 10.xx.xx.x And specify the real IP of your router for your game hosting.
So the requests will be send to the router and the router will redirect them to your computer as the external computers cannot access your computer directly. For doing this you will have to sneak up and change your router settings. You can do that with telnet.

 

[CTR]

RS is one of the best LAN games I've ever played. Didn't like it so much over the Internet, but liked it VERY much on LAN. Make some friends on campus, or coerce your existing friends into playing.

 

[nexus9]

Time to bribe the firewall admin with a couple of cases of beer

-Nexus9

 

[namit23]

Well If you could tell me your router's model number and company, than it will be easier for me to give you the exact specifications.
But whatever happens you have to get the routers admin password from the sys admin than you can do whatever you want. This has nothing to do with the firewall. Its just that you dont have a valid Ip address on the net. Your IP is only a virtual one which is only valid for your internal network.

 

[Mr-Mahem]

Spiff,

I agree with your NAT comment assuming that the connection is being initiated from the LAN side of the NAT device - yes it does translate multiple IP addresses on the LAN to a single IP address that is then seen on the internet.
However, the original posters problem was that he wanted to run a server on the LAN behind the NAT device.
Example / explanation:
Take a web server on 10.0.0.80 that is behind a NAT device. The NAT device has a single IP address on the internet of 100.100.100.1
There are also other machines onthe LAN 10.0.0.1 - 10.0.0.79
Any connections being initiated from the LAN (e.g. 10.0.0.20) would look like it's coming from 100.100.100.1, and the NAT device would pass any returned packets to the initiating maching on the LAN (10.0.0.20) because it knows where the connection was initiated from.
However if someone wanted to surf to the web server they would have to go to http://100.100.100.1 (they can't use 10.0.0.80 as this is a non routable IP address and is not seen on the internet).
When the NAT device receives a connection request on port 80, how will it know which machine on the LAN to send it to? It will only know if it has been configured to pass all port 80 traffic to 10.0.0.80, or all unsolicited data to 10.0.0.80

This is where the original poster is having problems. If he wants to host a server then he needs to get the SysAdmin to config the firewall to allow in the connections, and the NAT device to forward data for the used port to his LAN IP address.
However (again) his IP address is allocated via DHCP so there is a chance his IP address will change!

Mr-Mayhem

 

[namit23]

I fully agree with you mahem.
He has to get his pprt 80 of the router forwarded to his virtual LAN ip.
Thats his only chance.
Can one of those Static IP softwares be used.
go to http://www.dynip.com/
These people give you a static name like http://namit.dynip.com and they have a client installed on your machine. So everytime you are online and a person enters your static name in the browser, their servers redirect the request to your computer by interacting with the client installed on your computer. I dont know if this will work with a router, but its surely worth a try. There are many other companies like this one. You can try a few, they might solve your problem.

 

[Ace69]

I always and I mean always get the same IP. I have been on a DHCP for a year now and I have had the same IP all the time. So I guess the only way is for the sysadmin to let the traffic through? If this is the only way then there is no way that I am going to be able to do this because the firewall's whole purpose is to not let us run any kind of server so if I went over to him and said, &quot;Hey Joe, why don't you let my server traffic run to my computer?&quot;. He would say, &quot;What are you smoking, Adam, you know that is the whole reason that that is there!&quot; and probably laugh in my face so I think that it is safe to say that that is not going to happen.

 

[Mr-Mahem]

Namit23...

I still don't think that would work as you still need to tell the NAT device which (dynamic) IP address to forward the data to. Unless the dynip client is in constant communication with the dynip servers that is - thus ensuring the NAT device would know where to pass the data to.

Mr-Mayhem

 

[namit23]

But I still think that can work. Cause the dynip client directly contacts the dynip server amd then the redirection takes place. I have a strong feeling that might work. I tried it out at my place with a router and six computers, I had dynip installed on one of the machines and when i typed in namit.dynip.com from anywhere my site running on PWS on that comp. where I had installed the client would open up. So its worth a try. And if that works than it means oops for ace69. Try it out.

 

[Spiff]

Mr-Mahem, in your original explanation of NAT, your statements were very broad in scope and did have the detail you later provided. I wanted to insure that people understood that NAT does not drop all incoming traffic. There are already tons of misconceptions on this board about how OS' work and networking works... so it's good. In fact I should have gone furher and explained the client request forwarding as well, so we were both to general in our original posts

Nami23, dynip will not matter, since the firewall must still pass &quot;client requests&quot; through to the server... and if the firewall is not allowing this, then it will not work. The firewall is the gatekeeper... it holds the keys to anything coming in or out.

 

[Ace69]

Do you think I could try the dynip and get a static hostname and then tell the people that I want to host to connect to that name or the IP of my firewall?