Vodafone Mobile IP ranges

I recently added a firewall to my server such that even though the router has one, if there’s some security hole in its firewall, the server inside the network is still protected by its own firewall. This server-side firewall is more restrictive than the router one, with a DROP policy set by default, and I have to punch holes in it in order to get access.

One of the things I like being able to do is access my files from my phone. Unsurprisingly, you get a dynamic IP address with mobile broadband. If I could find what the range of IP addresses Vodafone assign to their mobile broadband customers, I could allow some part of that range through the firewall. Obviously this only allows those IPs to try to connect, they still need to have the correct credentials in order to get through.

After a bit of searching, I came across this thread on the Vodafone forums. After some initial reticence on the Vodafone side, they eventually listed the IP ranges they used for their mobile broadband. To save some searching, this is the appropriate set of ranges:

212.183.140.48/28
212.183.140.102/31
212.183.140.16/28
212.183.140.98/31
212.183.140.32/28
212.183.140.100/31
212.183.140.0/28
212.183.140.96/31 

An initial connection from my phone indicates this range is valid (for the time being). This solves the problem of me being able to access my server from unknown networks as I can simply tether my phone to my laptop, and know that I’ll be able to get in to the server, from which point I can make temporary changes to the firewall to allow access to that specific new IP address.

I would, eventually, like to add port knocking to the server such that even though there are open ports on the router and firewall, given a simple scan, the ports should appear closed.

Data recovery

A Windows laptop bluescreened midway through a transfer of data from the internal disk to a 500GB (Michael Jackson) external disk. Windows refused to acknowledge the existence of the FAT32 partition, saying the disk needed to be formatted; my Mac fared no better, claiming I needed to initialise the disk.

This was a backup disk (and in fact, the computer was backing up when it bluescreened), but nothing on there was irreplaceable, so I decided to have a bit of a play with some data recovery tools.

The first thing I needed to go was get a disk image so that I could fiddle around to my heart’s content without worrying about damaging the disk. The disk cloning utility dd took care of that for me:

dd if=/dev/sdc of=./michael.img

I cloned the entire device (/dev/sdc vs. /dev/sdc1, for example) since the partition table appeared to be corrupted. I didn’t set any special options and since I was in no particular hurry, I let it do its thing overnight. Once I had a disk image, I tried testdisk to see if it could rebuilt the partition table, or at least let me copy the contents of the partition to somewhere else.

testdisk ./michael.img

For a more comprehensive look at testdisk’s functionality, check their wiki. In essence, I used the Advanced section (Filesystem Utils) to do a boot sector recovery, from which I could access the filesystem contents and select files I wanted to copy to a directory, ready for copying back over on to the external disk.

Although this is by no means an in depth look into testdisk, its tools are impressive. It can rebuild partition tables to allow corrupt disks to boot again. The sister program, photorec is aimed more at recovering images and other media based on the signature those types of files have in a filesystem.

For my purposes, however, the recovery was pretty straightforward and the data have been successfully recovered. The last job is to format the disk with a fresh (probably NTFS) filesystem, and then copy the recovered data back.

Virgin DNS

Virgin Broadband intercept invalid DNS requests and supply their own results. Whilst this is convenient to some extent, it does mean they’re interfering with the way things were designed to work. Fortunately, however, it’s easy enough to turn off.

Virgin provide a service to turn off this DNS interception here. A word of caution, you can only apply this change from your home connection.