I was trying to expose port 23 to be able to telnet from outside the LAN, and I cannot get a connection. Ports 22 and 23 are labeled as filtered. [here]
I have a tcp server setup to listen on port 6400. I can telnet into that port from inside the LAN. I have no luck when trying to telnet from the WAN. I have port 23 forwarded to the ip of the raspberry pi. When I nmap from inside the network, it shows port 23 as filtered. When I nmap from outside the network, it shows all ports as filtered.
I have Comcast Xfinity supplied router/modem combo. The port forwarding for the router is not very complex, and I am not able to port forward easily. Will a separate router or modem solve this issue of the ports being filtered?
UPDATE: I changed the port forward to 6400, and it works! I used my phone (cellular data) to telnet into port 6400 and it let me through. If i change the port forward to 23, I get the error ‘connection refused.’ If I delete the port forward, I get ‘connection timed out.’
No one commenting on how you shouldn’t be allowing telnet over WAN?
If you want to access internal services, run a VPN.
On-topic, Comcast doesn’t filter 22, so it’s something else, and you’re running nmap from inside the LAN, so it’s not an accurate test, either.
That nmap result doesn’t mean anything because you are running it on the LAN side of the router.
I have port 23 forwarded to the ip of the raspberry pi.
Did you forward port 23 to port 23 on the Pi? Because port 23 doesn’t appear to be open on your Pi, based on your netstat.
OTOH, if you are trying to reach port 6400 on your Pi, then you probably want to forward port 6400 on the router. Or if you want to get fancy, you can forward port 23 to port 6400 on the Pi. It depends on what you want to do.
I want to telnet over wan for a project that I am working on. I want to collect data from the hackers that attempt to gain access.
I want to setup a VPN to my home network for my next project, but I just want to make sure the filtered ports do not hinder my ability to do so. Should I try to set up a VPN on my pi to see if I can get out of the network, or should I look into a router that I can flash? I guess I could try to ssh into the pi to see if port 22 will allow access.
A nmap from outside the network yields all ports as filtered, and I have the firewall off completely on the gateway.
Nope. He didn’t ask, “is it ok if I allow Telnet over WAN?” He asked how to do it with Comcast filtering ports 22/23.
I can telnet into the rpi on port 6400 on the LAN, but not port 23 on the LAN. Xfinity just updated their forwarding menu, and it may not be recognizing the static IP i have assigned to the device.
The nmap from outside the network reveals that all the ports are filtered.
Xfinity’s port forwarding is not very advanced which is why I was considering a new router or modem.
[Here] is a pic of the forwarding that I have set up. I have thew rpi set up to listen on port 6400 and I was going to direct traffic from port 23 to 6400.
Should I try entering 6400 for the port forward?
The firewall off just means it’s not actively blocking those ports. You still need port forwarding properly for something inside your LAN to accept a TCP connection from the outside.
I’m echoing others in the thread that are saying your port forwarding isn’t configured correctly.
You’re also trying to nmap your router itself, if that itself doesn’t accept connections on 22/23, it’s also going to show filtered.
You need to nmap the device that’s going to be accepting 22/23 from inside the LAN to make sure it’s working on the box itself, then figure out your port forwarding situation.
Comcast doesn’t block 22, I know that for a fact, so it’s not an issue on that side.
As another off-hand comment, if you’re doing something like a honeypot, especially for research, I’d recommend doing this on some kind of public VPS or remote dedicated hosting. Buy a cheap VPS from Vultr or Linode and do it there. No nat to worry about, and you’re not subjecting your home network to something like this.
It’s important to educate if those aren’t privy to the issues of doing something like this.
OP didn’t go into any in-depth detail of why he’d want Telnet over LAN, so I saw it a good idea to caution.
I don’t need people to specifically ask me for opinions for me to offer my own.
I don’t see any indication that the Xfinity can forward port 23 to a different port number. In order to do that, there should be a way to specify an “external port” and “internal port”.
Assuming that the Xfinity can only forward the same port number, then, yes, you should enter 6400.
Here I have updated the screenshots of the port forwarding and correct nmap.
The TCP server is listing on port 6400, but port 6400 does not show up on the nmap as open.
I will have to look more into the VPS! It seems like a good solution, but how would I setup the honeypot for this?
I wanted to try this on the home network to send all telnet traffic on port 23 to the rpi honeypot. The honeypot is an arduino connected to the rpi, so the honeypot doesnt have anything behind it for hackers to breach. I just cant get the damn thing online to the WAN!
So, I got the honeypot online! I can telnet into port 6400, but it will not let me telnet through port 23. When I check online, it says that the connections are ‘refused.’ I know comcast doesnt block ports 22 and 23, but I feel as if something on their end is keeping me out of port 23.
Fair enough. I just see a lot of replies that never specifically answer OPs original question, but suggest alternative ways of doing things. Sometimes there are situations that occur in which people are forced to do something a particular way, or they are just trying to do something as a learning excersize. In this case, I agree with you that SSH would be preferred, but if OP is choosing to go Telnet, I have to assume he is trying to do something somewhat specific for some reason. No one chooses Telnet anymore.
Yeah the forwarding menu is not very great. I can change the port to 6400, but how do I test to see if this made a difference?
Actually, the forwarding menu lets me add a port number or port range if that will help.
Rerun your nmap from the outside. If you want, you can just scan port 6400. Or you can run one of those online port testers.
No, that won’t help. The port range will still be forwarded to the same internal port range.
Why don’t you just have the Pi listen on port 23?
Okay, I changed the port forward to 6400, and it works! I used my phone (cellular data) to telnet into port 6400 and it let me through. If i change the port forward to 23, I get the error ‘connection refused.’ If I delete the port forward, I get ‘connection timed out.’
That’s expected. Your Pi isn’t listening on port 23.
