Running nmap from a remote server gives this answer:
PORT STATE SERVICE
554/tcp open rtsp
6881/tcp filtered bittorrent-tracker
7070/tcp open realserver
port 6881: forwarded to my NAS, yet QTransmission (Transmission for QNAP) keeps complaining the port isn't open. I see the rule in the output of "iptables -t nat -L"
I've tried narrowing the rule down to just 6881 but the result is the same: may I safely conclude that it is QTransmission that it is wrong? Apparently downloads are fine.
port 554 and 7070 are interesting because my router knows nothing about them: they are not listed in "netstat -a -l -n" nor in "iptables -t nat -L" nor in "iptables -L". Is it my ISP (TIM.it) playing funny tricks with these ports?
From my experience this "port open report" thing doesn't work.
Better check by yourself with iptables -t nat -L -vn | grep 6881 and see the bytes and packet hit columns.
So, first I looked up what the "NAT reflection" does and disabled it, so the 3 pair of rules get down to just 1.
Next, I reset the counters and tried connecting to 6881/tcp from outside: the counters barely move but they do. Using nc in udp mode I got slightly more visible results.
Using another host in LAN as target, I exposed the local port 22 in turn to 554, 6881 and 7070 on wan and I could get the SSH handshake on all of them. Most definitely, port 6881 is indeed open.
I checked the NAS config and saw I had a rule to allow only connections from LAN: temporarily disabling it resulted in a positive test result in QTransmission.
Considering I don't have the option to allow by port in the NAS, how can I make forwarded connections on port 6881 appear to come from the router?
Any idea why 554 and 7070 show up as open in nmap even when I have no rules referencing them?
Unless it comes as default on 18.06.4 (I don't think so) and I have missed it so far, I'd say no.
More importantly, there is no single match for either port in any of those commands' output.
Last time I checked, no, moreover it is considered a bad security practice so it would be a surprise to be included.
Those ports that you saw as open were either open on the firewall or forwarded to some host in the LAN (or nmap was BSing you).
I've tried that, it didn't work: since the target is inside the LAN, the router still needs either a route (not gonna happen because of private address space) or a port forwarding. With both rules enabled the test in QTransmission is positive.
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-20 10:34 CEST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.20s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 9.63 seconds
and this scanned from the same remote server I used to scan my own router:
Starting Nmap 6.47 ( http://nmap.org ) at 2019-07-20 10:33 CEST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.16s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
554/tcp open rtsp
7070/tcp open realserver
9929/tcp open nping-echo
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 8.31 seconds
Yup, sure looks like my (remote) ISP is playing tricks with those ports on outgoing connections.
(yup, I looked up "Vodafone 554 7070" and there are a few reports along those lines).