# iptables -V
iptables v1.4.2
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

So why is online port scanner Shields Up¹ reporting "Stealth mode" for
all ports and why isn't my BitTorrent reachable?

My ISP says they aren't blocking or filtering ports, and my ADSL modem
has no onboard firewall.

I must be missing something but I don't know what it is. Do you?


Note:
¹ <http://www.grc.com/intro.htm>
Other online port scanners are reporting similar results.


--
~> cat /etc/*-{version,release}|head -n1 && uname -moprs|fold -sw72
Slackware 12.2.0
Linux 2.6.27.7-crrm i686 AMD Turion(tm) 64 Mobile Technology MK-36
GNU/Linux

On 8/19/2009 7:04 PM, dae3 wrote:
> So why is online port scanner Shields Up¹ reporting "Stealth mode"
> for all ports and why isn't my BitTorrent reachable?

Do you have a globally routable IP on your machine?

> My ISP says they aren't blocking or filtering ports, and my ADSL
> modem has no onboard firewall.

To confirm: Is your ADSL modem bridging, or other wise routing globally
routable IPs to your computer?

> I must be missing something but I don't know what it is. Do you?

We need to know more about your configuration before we can really say.



Grant. . . .

In comp.security.firewalls dae3 <7252d9cf@example.invalid> wrote:
> So why is online port scanner Shields Up¹ reporting "Stealth mode" for
> all ports and why isn't my BitTorrent reachable?
> My ISP says they aren't blocking or filtering ports, and my ADSL modem
> has no onboard firewall.
> I must be missing something but I don't know what it is. Do you?

Something on the line definitely *is* filtering.

Yours,
VB.
--
"Du bist nur das, was ich genehmige."

Sachbarbeiter im Sozialamt Mülheim/Ruhr zum "Kunden"

dae3 wrote:

> # iptables [DEFAULT POLICIES ACCEPT...]
> why is online port scanner Shields Up¹ reporting "Stealth mode" for
> all ports and why isn't my BitTorrent reachable?
>
> My ISP says they aren't blocking or filtering ports, and my ADSL modem
> has no onboard firewall. [...]


Are you sure you're using an ADSL modem (which exposes your interface on
the Internet) and not some kind of ADSL Router?

Routers need to have reverse NAT enabled, in order to pass outer requests
to your computer, otherwise they just drop the incoming packets that are
unrelated to already established connections.

--
enos76

On 2009-08-20, dae3 <7252d9cf@example.invalid> wrote:
> # iptables -V
> iptables v1.4.2
> # iptables --list
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> #
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> So why is online port scanner Shields Up¹ reporting "Stealth mode" for
> all ports and why isn't my BitTorrent reachable?
>
> My ISP says they aren't blocking or filtering ports, and my ADSL modem
> has no onboard firewall.
>
> I must be missing something but I don't know what it is. Do you?


Several possibilities come to mind:

1. The person at your ISP is lying.
2. The person at your ISP doesn't know, so he/she gave the answer
he/she thought you wanted to hear.
3. Your modem *does* have filtering capabilities.

-RW

dae3 <7252d9cf@example.invalid> wrote:
> # iptables -V
> iptables v1.4.2
> # iptables --list
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> #
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> So why is online port scanner Shields Up¹ reporting "Stealth mode" for
> all ports and why isn't my BitTorrent reachable?
>
> My ISP says they aren't blocking or filtering ports, and my ADSL modem
> has no onboard firewall.
>
> I must be missing something but I don't know what it is. Do you?
>
>
> Note:
> ¹ <http://www.grc.com/intro.htm>
> Other online port scanners are reporting similar results.
>
>

My ISP modem has a firewall that you can disable or enable. And
a port forwarding control which requires that you enter your IP
in a form. It actually has a webserver that you connect to with a
browser. I had to get the password from tech support. If port
forwarding isn't configured properly and enabled (by checking a
box), you won't get any connections from the net. The firewall
could cause problems, too.

You probably don't have the same ISP, but something similar could
well be going on.

Most ISPs block a lot of ports below 500. I always choose one
over 1000 if possible.


Sid

Robby Workman wrote:
>> So why is online port scanner Shields Up¹ reporting "Stealth mode" for
>> all ports and why isn't my BitTorrent reachable?
>
> Several possibilities come to mind: [...]

At work I had some of the most difficult times when trying to solve
problems before verifying what the customer said.

He may be using a router, not a modem, and he may just have to enable
port forwarding on it.

--
enos76

enos76 <enos76@gmail.com> wrote:

> At work I had some of the most difficult times when trying to solve
> problems before verifying what the customer said.
>
> He may be using a router, not a modem, and he may just have to enable
> port forwarding on it.


I'm 100% sure I'm using a modem, not a router. The modem is not even
user-configurable (it would need a password that only the manufacturer
knows and won't disclose).

I've had this modem for 5 years and I know I used to be able to open
ports on this computer just by telling iptables what to let in.


--
~> cat /etc/*-{version,release}|head -n1 && uname -moprs|fold -sw72
Slackware 12.2.0
Linux 2.6.27.7-crrm i686 AMD Turion(tm) 64 Mobile Technology MK-36
GNU/Linux

Grant Taylor <gtaylor@riverviewtech.net> wrote:

> Do you have a globally routable IP on your machine?


No, I have a 192.168.1.x/24 address for the ethernet interface, which is
on the same subnet as the modem (the modem is 192.168.1.1, LAN-side).

Internet-side, my ISP leases my modem a variable IP that is globally
routable.


--
~> cat /etc/*-{version,release}|head -n1 && uname -moprs|fold -sw72
Slackware 12.2.0
Linux 2.6.27.7-crrm i686 AMD Turion(tm) 64 Mobile Technology MK-36
GNU/Linux

dae3 wrote:
> [...] I'm 100% sure I'm using a modem, not a router [...]

I see, forgive my allegation. Is the IP address of your ppp interface
equal to the one that is detected by the online scanning tools?

--
enos76

enos76 <enos76@gmail.com> wrote:

> Is the IP address of your ppp interface equal to the one that is
> detected by the online scanning tools?


My ethernet interface has an internal IP (192.168.1.x/24) on the same
subnet of the modem's internal IP. Basically it's a bridging modem. I'm
not using PPP.


--
~> cat /etc/*-{version,release}|head -n1 && uname -moprs|fold -sw72
Slackware 12.2.0
Linux 2.6.27.7-crrm i686 AMD Turion(tm) 64 Mobile Technology MK-36
GNU/Linux

dae3 wrote:
> My ethernet interface has an internal IP (192.168.1.x/24) on the same
> subnet of the modem's internal IP. Basically it's a bridging modem. I'm
> not using PPP.

Were I in your shoes, I'd try the following
- set eth0 to your public IP address (not some private 192.168.x.x)
- get the password of your bridge/modem/router/whatever from you ISP
- use traceroute to find out if there are private networks before the
Internet

I leave the matter in more experienced hands, as I am not very
experienced with these kind of bridges (assuming a bridge this is).
Good Luck.

--
enos76