Fw4: Port forwarding not working when using TCP

Dermac · September 25, 2023, 5:49pm

Hi,

I updated to 22.03 on my TP-Link Archer C7 v5 and port forwards that have been working fine before don't work anymore.

Setup:

Router A(192.168.2.1)--->(192.168.2.175)Router B---->My network(192.168.178.1/24).

Router A (Telekom Speedport) isn't mine, but is controlled by me. Router B is the router running OpenWRT.

Router B is forwarding a number of ports, but only the ones using UDP are still working. My guess is the update, but I don't use the TCP forwards daily so I am not too sure.

One of the forwards is supposed to forward ssh connections, I'll use that as an example for what I have tried so far:

I checked with tcdump on OpenWRT: The traffic arrives on router B.
I checked the ssh connection from router B to the target (192.168.178.11): I can successfully log in from router B.
I deleted the port forward and reapplied it: No change.
I disabled the rule and reapplied it: No change.
The WAN IP (192.168.2.175) is the same the DHCP of router A handed out.

/etc/init.d/firewall restart

root@OpenWrt:~# /etc/init.d/firewall restart
Section @rule[9] (Support-UDP-Traceroute) is disabled, ignoring section
Section reject_toniebox (RejectToniebox) is disabled, ignoring section
Section @rule[11] (NoInternet) is disabled, ignoring section
Section @redirect[4] (Make ha accessible from world) is disabled, ignoring section
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible
root@OpenWrt:~#

/etc/config/firewall (the whole thing is 359 lines, so here is a snippet, let me know if I should post the whole thing

config redirect
	option dest 'SafeZone'
	option target 'DNAT'
	option name 'ssh to pi'
	option family 'ipv4'
	option src 'wan'
	option src_dport '3422'
	option dest_ip '192.168.178.11'
	option dest_port '3422'
	list proto 'tcp'

/etc/config/network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.178.1'
	list dns '192.168.178.11'
	option delegate '0'
	option ipv6 '0'

config device
	option name 'eth0.2'
	option macaddr 'e4:c3:2a:47:1a:7f'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '192.168.178.11'
	option ipv6 '0'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option description 'LAN'
	option ports '0t 2 3 4 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'
	option description 'WAN'

config interface 'guest'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.1.105.1'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '103'
	option name 'eth0.103'
	option mtu '1500'
	option macaddr 'E4:C3:2A:47:1A:7E'

config interface 'IOT'
	option proto 'static'
	option type 'bridge'
	list ipaddr '10.1.103.1/24'
	option device 'br-iot'

config bridge-vlan
	option device 'br-vlans'
	option vlan '103'
	list ports 'eth0.103:t'
	list ports 'eth0.2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '103'
	option description 'IOT'
	option ports '0t 4t'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'eth0.103'
	option mtu '1500'
	option macaddr 'E4:C3:2A:47:1A:7E'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '101'
	option name 'eth0.101'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-dienste'
	list ports 'eth0.101'
	option ipv6 '0'

config interface 'DIENSTE'
	option proto 'static'
	option device 'br-dienste'
	option ipaddr '10.1.101.1'
	option netmask '255.255.255.0'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 4t'
	option vid '101'
	option description 'DIENSTE'

config device
	option type 'bridge'
	option name 'br-homelab'
	list ports 'eth0.102'
	option ipv6 '0'
	option mtu '1500'
	option macaddr 'E4:C3:2A:47:1A:7E'

config interface 'HOMELAB'
	option proto 'static'
	option device 'br-homelab'
	option ipaddr '10.1.102.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-nonet'
	list ports 'eth0.104'
	option mtu '1500'
	option ipv6 '0'
	option macaddr 'E4:C3:2A:47:1A:7E'

config interface 'NONET'
	option proto 'static'
	option device 'br-nonet'
	option ipaddr '10.1.104.1'
	option netmask '255.255.255.0'

config device
	option name 'eth0.102'
	option type '8021q'
	option ifname 'eth0'
	option vid '102'
	option ipv6 '0'

config device
	option name 'eth0.104'
	option type '8021q'
	option ifname 'eth0'
	option vid '104'
	option ipv6 '0'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '0t 4t'
	option vid '102'
	option description 'HOMELAB'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option ports '0t 4t'
	option vid '104'
	option description 'NONET'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '100'
	option name 'eth0.100'

config device
	option type 'bridge'
	option name 'br-lan100'
	list ports 'eth0.100'
	option ipv6 '0'

config interface 'LAN100'
	option proto 'static'
	option device 'br-lan100'
	option ipaddr '10.1.100.1'
	option netmask '255.255.255.0'

config switch_vlan
	option device 'switch0'
	option vlan '7'
	option ports '0t 4t'
	option vid '100'
	option description 'LAN100'

config device
	option type 'bridge'
	option name 'br-wireguard'
	list ports 'eth0.106'

config interface 'WIREGUARD'
	option proto 'static'
	option device 'br-wireguard'
	option ipaddr '10.1.106.1'
	option netmask '255.255.255.0'

config switch_vlan
	option device 'switch0'
	option vlan '8'
	option ports '0t 4t'
	option vid '106'
	option description 'WIREGUARD'

Is going back to fw3 an option?

vgaetera · September 25, 2023, 7:23pm

Reboot the upstream router, and verify that the client is using the correct IP.
Try connecting from outside and check traffic counters for the OpenWrt redirect.
Stop any VPN clients possibly running on the router or the destination host.

Dermac · September 25, 2023, 7:46pm

At the moment I am running my tests from within router A's network (192.168.2.1/24), so router A's forwarding doesn't come into play (yet).

The IPs definitely match, I can ssh to the client when I'm logged into OpenWRT.

There are no VPNs running.

Could you elaborate on the "traffic counters" part?

Dermac · September 26, 2023, 8:35am

Ah, I think I understand what you meant by counters now:

So it seems the rule was hit, but only once, maybe? The counter doesn't update when I try to create another ssh connection.

Should the rule appear three times in Status->Firewall?

vgaetera · September 26, 2023, 8:45am

The next step is to try capturing the relevant traffic:

opkg update
opkg install tcpdump
tcpdump -evnni any tcp port 3422

Dermac · September 26, 2023, 8:49am

root@OpenWrt:~# tcpdump -evnni any tcp port 3422
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
08:47:13.925123   P c4:bd:e5:a7:e8:6a ethertype 802.1Q (0x8100), length 72: vlan 2, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 14188, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.61775 > 192.168.2.175.3422: Flags [S], cksum 0xc8c6 (correct), seq 1742454259, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
08:47:13.925123  In c4:bd:e5:a7:e8:6a ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 128, id 14188, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.61775 > 192.168.2.175.3422: Flags [S], cksum 0xc8c6 (correct), seq 1742454259, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
08:47:13.925300 Out e4:c3:2a:47:1a:7e ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 14188, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.61775 > 192.168.178.11.3422: Flags [S], cksum 0x196a (correct), seq 1742454259, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
08:47:13.925324 Out e4:c3:2a:47:1a:7e ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 14188, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.61775 > 192.168.178.11.3422: Flags [S], cksum 0x196a (correct), seq 1742454259, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
08:47:14.932690   P c4:bd:e5:a7:e8:6a ethertype 802.1Q (0x8100), length 72: vlan 2, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 14189, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.61775 > 192.168.2.175.3422: Flags [S], cksum 0xc8c6 (correct), seq 1742454259, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
08:47:14.932690  In c4:bd:e5:a7:e8:6a ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 128, id 14189, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.61775 > 192.168.2.175.3422: Flags [S], cksum 0xc8c6 (correct), seq 1742454259, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
08:47:14.932831 Out e4:c3:2a:47:1a:7e ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 14189, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.61775 > 192.168.178.11.3422: Flags [S], cksum 0x196a (correct), seq 1742454259, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
08:47:14.932852 Out e4:c3:2a:47:1a:7e ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 14189, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.61775 > 192.168.178.11.3422: Flags [S], cksum 0x196a (correct), seq 1742454259, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
08:47:16.937203   P c4:bd:e5:a7:e8:6a ethertype 802.1Q (0x8100), length 72: vlan 2, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 14190, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.61775 > 192.168.2.175.3422: Flags [S], cksum 0xc8c6 (correct), seq 1742454259, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
08:47:16.937203  In c4:bd:e5:a7:e8:6a ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 128, id 14190, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.61775 > 192.168.2.175.3422: Flags [S], cksum 0xc8c6 (correct), seq 1742454259, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
08:47:16.937346 Out e4:c3:2a:47:1a:7e ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 14190, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.61775 > 192.168.178.11.3422: Flags [S], cksum 0x196a (correct), seq 1742454259, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
08:47:16.937368 Out e4:c3:2a:47:1a:7e ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 14190, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.61775 > 192.168.178.11.3422: Flags [S], cksum 0x196a (correct), seq 1742454259, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~#

~~Does this mean that the traffic is blocked at the destination?~~ That can't be it, I can ssh from the router to the target device:

root@OpenWrt:~# ssh -p 3422 pi@192.168.178.11
pi@192.168.178.11's password:
Linux raspberrypi 5.10.103-v7l+ #1529 SMP Tue Mar 8 12:24:00 GMT 2022 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Sep 26 10:46:39 2023 from 10.253.3.2
pi@raspberrypi:~ $

vgaetera · September 26, 2023, 9:14am

It looks like that since there's no reply, or the default gateway is wrong.

Check its SSH and firewall configs, as it may allow only local subnet as the source.
Also confirm that its default gateway is 192.168.178.1.

Dermac · September 27, 2023, 11:50am

Hmmm, it seems you are right, which is most curious.

After I added 192.168.2.1/24 to the management console of proxmox the port forwarding works again.

This wasn't needed before the update. Is it possible that in 21 the power forwarding would do an SNAT which it isn't doing anymore?

I still can't connect to my pi using the port forward. I can't find out why.

pi@raspberrypi:/etc/ssh$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-sshd   tcp  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (17 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.24.0.2           tcp dpt:postgresql
ACCEPT     tcp  --  anywhere             192.168.80.2         tcp dpt:19445
ACCEPT     tcp  --  anywhere             192.168.80.2         tcp dpt:19444
ACCEPT     tcp  --  anywhere             192.168.80.2         tcp dpt:19400
ACCEPT     tcp  --  anywhere             192.168.80.2         tcp dpt:8090
ACCEPT     tcp  --  anywhere             192.168.80.2         tcp dpt:ssh
ACCEPT     tcp  --  anywhere             44a6ad15c223         tcp dpt:https
ACCEPT     tcp  --  anywhere             44a6ad15c223         tcp dpt:http
ACCEPT     tcp  --  anywhere             192.168.0.2          tcp dpt:http-alt
ACCEPT     udp  --  anywhere             44a6ad15c223         udp dpt:bootps
ACCEPT     tcp  --  anywhere             44a6ad15c223         tcp dpt:domain
ACCEPT     udp  --  anywhere             44a6ad15c223         udp dpt:domain
ACCEPT     tcp  --  anywhere             172.24.0.3           tcp dpt:9001
ACCEPT     tcp  --  anywhere             172.24.0.3           tcp dpt:1883
ACCEPT     tcp  --  anywhere             172.24.0.5           tcp dpt:postgresql
ACCEPT     tcp  --  anywhere             172.24.0.6           tcp dpt:3000
ACCEPT     tcp  --  anywhere             172.23.0.50          tcp dpt:1443
ACCEPT     tcp  --  anywhere             172.23.0.50          tcp dpt:https
ACCEPT     tcp  --  anywhere             172.23.0.50          tcp dpt:http
ACCEPT     tcp  --  anywhere             172.23.0.2           tcp dpt:8000
ACCEPT     tcp  --  anywhere             192.168.208.2        tcp dpt:ssh
ACCEPT     tcp  --  anywhere             192.168.208.3        tcp dpt:http-alt

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain f2b-sshd (1 references)
target     prot opt source               destination         
REJECT     all  --  158.172.189.35.bc.googleusercontent.com  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  node-hwk.pool-182-52.dynamic.totinternet.net  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  47.74.0.196          anywhere             reject-with icmp-port-unreachable
REJECT     all  --  160.124.140.147      anywhere             reject-with icmp-port-unreachable
REJECT     all  --  ip-109196055045.syrion.pl  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  198.211.120.99       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  190-159-89-200.fibertel.com.ar  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  mail.recovery.com.py  anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (16 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
pi@raspberrypi:/etc/ssh$

sshd is not configured with a ListenAddress, which means it uses the standard 0.0.0.0/0

@raspberrypi:/etc/ssh$ grep Listen sshd_config 
#ListenAddress 0.0.0.0
#ListenAddress ::
pi@raspberrypi:/etc/ssh$

/var/log/auth.log shows no new lines when I try to connect via the port forward.

fail2ban is not active.

netstat also says that the port is open and listening for anything

pi@raspberrypi:/etc/ssh$ sudo netstat -plnt|grep 3422
tcp        0      0 0.0.0.0:3422            0.0.0.0:*               LISTEN      23964/sshd          
tcp6       0      0 :::3422                 :::*                    LISTEN      23964/sshd          
pi@raspberrypi:/etc/ssh$

So if anybody has any ideas what I should check I'd be really grateful!

vgaetera · September 27, 2023, 12:52pm

ip address show; ip route show table all; ip rule show
sudo iptables-save; sudo netstat -l -n -p | grep -e ssh
ping  -c 3 8.8.8.8; traceroute -n 8.8.8.8

Dermac · September 27, 2023, 1:53pm

pi@raspberrypi:/etc/ssh$ ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether dc:a6:32:1c:c6:f1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.11/24 brd 192.168.178.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.253.3.1/24 scope global wg0
       valid_lft forever preferred_lft forever
4: br-d25bebd3e424: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c8:1a:63:45 brd ff:ff:ff:ff:ff:ff
    inet 172.24.0.1/16 brd 172.24.255.255 scope global br-d25bebd3e424
       valid_lft forever preferred_lft forever
5: br-de29c2d1df31: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:14:07:ff:d3 brd ff:ff:ff:ff:ff:ff
    inet 172.22.0.1/16 brd 172.22.255.255 scope global br-de29c2d1df31
       valid_lft forever preferred_lft forever
6: br-2fabfd2b30dc: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:aa:21:8b:e7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.80.1/20 brd 192.168.95.255 scope global br-2fabfd2b30dc
       valid_lft forever preferred_lft forever
7: br-34aed491bd19: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:67:67:0a:71 brd ff:ff:ff:ff:ff:ff
    inet 172.26.0.1/16 brd 172.26.255.255 scope global br-34aed491bd19
       valid_lft forever preferred_lft forever
9: br-d0f496bdbec5: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:5b:c9:f6:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.96.1/20 brd 192.168.111.255 scope global br-d0f496bdbec5
       valid_lft forever preferred_lft forever
10: br-5fd0f43922e0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:14:a0:73:9a brd ff:ff:ff:ff:ff:ff
    inet 192.168.240.1/20 brd 192.168.255.255 scope global br-5fd0f43922e0
       valid_lft forever preferred_lft forever
11: br-90c10ed21bd7: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:78:2e:88:a4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.160.1/20 brd 192.168.175.255 scope global br-90c10ed21bd7
       valid_lft forever preferred_lft forever
12: br-fd87f744bc1f: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:94:fb:fa:76 brd ff:ff:ff:ff:ff:ff
    inet 172.29.0.1/16 brd 172.29.255.255 scope global br-fd87f744bc1f
       valid_lft forever preferred_lft forever
13: br-ec6d8fe88feb: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:fb:f9:ee:56 brd ff:ff:ff:ff:ff:ff
    inet 172.23.0.1/24 brd 172.23.0.255 scope global br-ec6d8fe88feb
       valid_lft forever preferred_lft forever
14: br-fd0a5edcc3db: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:20:21:59:8a brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.1/24 brd 172.20.0.255 scope global br-fd0a5edcc3db
       valid_lft forever preferred_lft forever
15: br-3e25fab3da7e: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:2a:74:0b:11 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/20 brd 192.168.15.255 scope global br-3e25fab3da7e
       valid_lft forever preferred_lft forever
16: br-7cc1c3146ff6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:9c:92:42:db brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-7cc1c3146ff6
       valid_lft forever preferred_lft forever
17: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:70:dd:fa:ea brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
18: br-d0ccf4315e3d: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:45:d6:a3:f5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.32.1/20 brd 192.168.47.255 scope global br-d0ccf4315e3d
       valid_lft forever preferred_lft forever
23: veth4666bc5@if22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-d25bebd3e424 state UP group default 
    link/ether ca:af:52:b6:75:02 brd ff:ff:ff:ff:ff:ff link-netnsid 9
24: rename24@veth8cd3e09: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:c0:a8:e0:02 brd ff:ff:ff:ff:ff:ff
25: veth8cd3e09@rename24: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether 3e:6c:d8:16:e1:07 brd ff:ff:ff:ff:ff:ff
26: rename26@veth9e178f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:02 brd ff:ff:ff:ff:ff:ff
27: veth9e178f1@rename26: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether 42:15:6e:a3:49:f6 brd ff:ff:ff:ff:ff:ff
29: veth860da2b@if28: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-2fabfd2b30dc state UP group default 
    link/ether 82:7c:9d:ab:65:e0 brd ff:ff:ff:ff:ff:ff link-netnsid 11
31: veth7e576d1@if30: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-fd0a5edcc3db state UP group default 
    link/ether 9e:90:ce:19:0e:f6 brd ff:ff:ff:ff:ff:ff link-netnsid 0
32: rename32@veth94866cb: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:18:00:03 brd ff:ff:ff:ff:ff:ff
33: veth94866cb@rename32: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-d25bebd3e424 state LOWERLAYERDOWN group default 
    link/ether be:c4:38:bc:28:ef brd ff:ff:ff:ff:ff:ff
34: rename34@veth2129384: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:32 brd ff:ff:ff:ff:ff:ff
35: veth2129384@rename34: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether 3a:ae:05:b3:fe:21 brd ff:ff:ff:ff:ff:ff
38: rename38@vetha05964a: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:18:00:04 brd ff:ff:ff:ff:ff:ff
39: vetha05964a@rename38: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-d25bebd3e424 state LOWERLAYERDOWN group default 
    link/ether ee:81:40:21:47:a5 brd ff:ff:ff:ff:ff:ff
40: rename40@veth5c647ca: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:03 brd ff:ff:ff:ff:ff:ff
41: veth5c647ca@rename40: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether 92:4c:a9:e8:0b:8e brd ff:ff:ff:ff:ff:ff
42: rename42@vethea6f757: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:18:00:05 brd ff:ff:ff:ff:ff:ff
43: vethea6f757@rename42: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-d25bebd3e424 state LOWERLAYERDOWN group default 
    link/ether b2:c6:02:13:d2:65 brd ff:ff:ff:ff:ff:ff
45: vethcf47598@if44: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state UP group default 
    link/ether 2e:7b:4c:a5:e2:f8 brd ff:ff:ff:ff:ff:ff link-netnsid 12
46: rename46@veth520a789: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:c0:a8:e0:04 brd ff:ff:ff:ff:ff:ff
47: veth520a789@rename46: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether 76:98:7e:cd:cc:e6 brd ff:ff:ff:ff:ff:ff
49: veth4064818@if48: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state UP group default 
    link/ether 96:2d:98:64:39:93 brd ff:ff:ff:ff:ff:ff link-netnsid 14
50: rename50@veth0592b4c: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:18:00:06 brd ff:ff:ff:ff:ff:ff
51: veth0592b4c@rename50: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-d25bebd3e424 state LOWERLAYERDOWN group default 
    link/ether 62:77:7e:92:d7:c9 brd ff:ff:ff:ff:ff:ff
52: rename52@vethee24e8e: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:06 brd ff:ff:ff:ff:ff:ff
53: vethee24e8e@rename52: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether b2:c9:40:26:56:cc brd ff:ff:ff:ff:ff:ff
54: rename54@vethb84dc3b: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:13:00:03 brd ff:ff:ff:ff:ff:ff
55: vethb84dc3b@rename54: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether 42:ee:1b:cb:e1:70 brd ff:ff:ff:ff:ff:ff
57: veth51fb4a9@if56: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-3e25fab3da7e state UP group default 
    link/ether 5e:96:9d:a5:79:98 brd ff:ff:ff:ff:ff:ff link-netnsid 12
59: veth04cd968@if58: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-fd0a5edcc3db state UP group default 
    link/ether d6:ac:d3:35:3a:98 brd ff:ff:ff:ff:ff:ff link-netnsid 14
61: veth56b506c@if60: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-d25bebd3e424 state UP group default 
    link/ether 56:71:f3:dd:a7:7f brd ff:ff:ff:ff:ff:ff link-netnsid 6
63: veth7f72087@if62: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-d25bebd3e424 state UP group default 
    link/ether e6:bf:fa:50:c0:16 brd ff:ff:ff:ff:ff:ff link-netnsid 5
65: veth610dfef@if64: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-d25bebd3e424 state UP group default 
    link/ether 22:9a:e1:3d:64:e4 brd ff:ff:ff:ff:ff:ff link-netnsid 7
67: veth8c3eb37@if66: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-d25bebd3e424 state UP group default 
    link/ether 12:cc:d8:fc:56:e9 brd ff:ff:ff:ff:ff:ff link-netnsid 8
69: veth4223b29@if68: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state UP group default 
    link/ether 2a:ad:f0:8c:0c:03 brd ff:ff:ff:ff:ff:ff link-netnsid 8
72: rename72@veth6bed372: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:32 brd ff:ff:ff:ff:ff:ff
73: veth6bed372@rename72: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether b6:0c:56:11:8f:94 brd ff:ff:ff:ff:ff:ff
77: rename77@veth3c82b13: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:15:00:02 brd ff:ff:ff:ff:ff:ff
78: veth3c82b13@rename77: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether ea:b2:9a:d3:a9:bd brd ff:ff:ff:ff:ff:ff
79: rename79@veth04ae523: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:15:00:03 brd ff:ff:ff:ff:ff:ff
80: veth04ae523@rename79: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether 5a:9d:f0:e9:70:f7 brd ff:ff:ff:ff:ff:ff
81: rename81@vethc36f861: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:02 brd ff:ff:ff:ff:ff:ff
82: vethc36f861@rename81: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether 22:68:17:dd:cd:54 brd ff:ff:ff:ff:ff:ff
83: rename83@vethe9c703e: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:15:00:04 brd ff:ff:ff:ff:ff:ff
84: vethe9c703e@rename83: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether 8e:58:c5:29:25:5c brd ff:ff:ff:ff:ff:ff
88: rename88@veth65459d8: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:03 brd ff:ff:ff:ff:ff:ff
89: veth65459d8@rename88: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether 66:11:eb:df:f0:41 brd ff:ff:ff:ff:ff:ff
90: rename90@veth53a8044: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:19:00:03 brd ff:ff:ff:ff:ff:ff
91: veth53a8044@rename90: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether a6:97:e0:fc:67:9e brd ff:ff:ff:ff:ff:ff
92: rename92@vethcc209ae: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:32 brd ff:ff:ff:ff:ff:ff
93: vethcc209ae@rename92: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether 32:93:f7:85:04:44 brd ff:ff:ff:ff:ff:ff
97: rename97@vethcb901af: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:1b:00:03 brd ff:ff:ff:ff:ff:ff
98: vethcb901af@rename97: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether 42:43:35:8a:16:e9 brd ff:ff:ff:ff:ff:ff
99: rename99@veth0cb49ce: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:02 brd ff:ff:ff:ff:ff:ff
100: veth0cb49ce@rename99: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether 9a:22:fc:eb:2d:91 brd ff:ff:ff:ff:ff:ff
101: rename101@vethdfbb428: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:1b:00:04 brd ff:ff:ff:ff:ff:ff
102: vethdfbb428@rename101: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether 46:ef:0a:a1:a2:50 brd ff:ff:ff:ff:ff:ff
106: rename106@vethc5c9a68: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:1c:00:03 brd ff:ff:ff:ff:ff:ff
107: vethc5c9a68@rename106: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether fa:c2:3e:9e:fa:80 brd ff:ff:ff:ff:ff:ff
108: rename108@veth723d4f2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:03 brd ff:ff:ff:ff:ff:ff
109: veth723d4f2@rename108: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether d2:25:d6:43:3c:82 brd ff:ff:ff:ff:ff:ff
110: rename110@vethc157a70: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:32 brd ff:ff:ff:ff:ff:ff
111: vethc157a70@rename110: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether 72:d8:e1:1a:32:67 brd ff:ff:ff:ff:ff:ff
115: rename115@veth04b98c9: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:1e:00:03 brd ff:ff:ff:ff:ff:ff
116: veth04b98c9@rename115: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether ca:73:4e:f8:2a:3e brd ff:ff:ff:ff:ff:ff
117: rename117@veth6aed228: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:02 brd ff:ff:ff:ff:ff:ff
118: veth6aed228@rename117: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether 52:6b:67:5e:00:81 brd ff:ff:ff:ff:ff:ff
119: rename119@vethc814fd8: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:1e:00:04 brd ff:ff:ff:ff:ff:ff
120: vethc814fd8@rename119: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether c6:9d:ff:e0:50:1a brd ff:ff:ff:ff:ff:ff
122: rename122@vethc1a54ee: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:1f:00:02 brd ff:ff:ff:ff:ff:ff
123: vethc1a54ee@rename122: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether 3e:bf:f6:15:0e:48 brd ff:ff:ff:ff:ff:ff
126: rename126@vetha3efbb5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:03 brd ff:ff:ff:ff:ff:ff
127: vetha3efbb5@rename126: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether b2:06:b6:58:f9:68 brd ff:ff:ff:ff:ff:ff
128: rename128@veth304fca2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:32 brd ff:ff:ff:ff:ff:ff
129: veth304fca2@rename128: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether 5e:4b:26:73:b8:f7 brd ff:ff:ff:ff:ff:ff
131: rename131@veth756c57d: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:c0:a8:10:02 brd ff:ff:ff:ff:ff:ff
132: veth756c57d@rename131: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether 52:0a:8a:41:b6:a0 brd ff:ff:ff:ff:ff:ff
135: rename135@veth3ba5f69: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:02 brd ff:ff:ff:ff:ff:ff
136: veth3ba5f69@rename135: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether f2:90:b9:58:9a:d8 brd ff:ff:ff:ff:ff:ff
137: rename137@veth6c7ff24: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:c0:a8:10:04 brd ff:ff:ff:ff:ff:ff
138: veth6c7ff24@rename137: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether ee:d7:7f:1c:35:f6 brd ff:ff:ff:ff:ff:ff
140: rename140@vethc88e7bc: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:c0:a8:30:02 brd ff:ff:ff:ff:ff:ff
141: vethc88e7bc@rename140: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether 82:6b:73:07:5b:5a brd ff:ff:ff:ff:ff:ff
144: rename144@vetha762b4f: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:03 brd ff:ff:ff:ff:ff:ff
145: vetha762b4f@rename144: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether b6:6e:88:f0:5b:88 brd ff:ff:ff:ff:ff:ff
146: rename146@veth953b711: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:32 brd ff:ff:ff:ff:ff:ff
147: veth953b711@rename146: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether 9a:43:14:7d:26:b9 brd ff:ff:ff:ff:ff:ff
151: rename151@veth606a6f8: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:c0:a8:40:03 brd ff:ff:ff:ff:ff:ff
152: veth606a6f8@rename151: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether da:25:b8:c3:18:39 brd ff:ff:ff:ff:ff:ff
153: rename153@veth8505318: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:02 brd ff:ff:ff:ff:ff:ff
154: veth8505318@rename153: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether d6:c6:87:50:a8:b0 brd ff:ff:ff:ff:ff:ff
155: rename155@veth28c94f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:c0:a8:40:04 brd ff:ff:ff:ff:ff:ff
156: veth28c94f0@rename155: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether 9a:2f:ed:82:28:03 brd ff:ff:ff:ff:ff:ff
158: rename158@vethcd00220: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:c0:a8:70:02 brd ff:ff:ff:ff:ff:ff
159: vethcd00220@rename158: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether aa:b6:f7:39:6d:b9 brd ff:ff:ff:ff:ff:ff
160: rename160@veth232fe41: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:c0:a8:70:03 brd ff:ff:ff:ff:ff:ff
161: veth232fe41@rename160: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether 2a:4f:bb:29:88:1c brd ff:ff:ff:ff:ff:ff
162: rename162@vethf06e36e: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:03 brd ff:ff:ff:ff:ff:ff
163: vethf06e36e@rename162: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether 7e:10:09:f9:ec:3f brd ff:ff:ff:ff:ff:ff
164: rename164@veth2d99fa4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:32 brd ff:ff:ff:ff:ff:ff
165: veth2d99fa4@rename164: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether fa:fa:0a:06:a9:73 brd ff:ff:ff:ff:ff:ff
167: rename167@vethc1fec33: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:c0:a8:80:02 brd ff:ff:ff:ff:ff:ff
168: vethc1fec33@rename167: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether 52:45:ed:74:1d:71 brd ff:ff:ff:ff:ff:ff
171: rename171@vethf673c36: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:02 brd ff:ff:ff:ff:ff:ff
172: vethf673c36@rename171: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether 62:2a:f8:b3:69:c0 brd ff:ff:ff:ff:ff:ff
173: rename173@veth6966e03: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:c0:a8:80:04 brd ff:ff:ff:ff:ff:ff
174: veth6966e03@rename173: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether 6e:2b:8a:f9:d8:fe brd ff:ff:ff:ff:ff:ff
176: rename176@veth23dcd6e: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:c0:a8:90:02 brd ff:ff:ff:ff:ff:ff
177: veth23dcd6e@rename176: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether 7a:89:5a:61:a8:c9 brd ff:ff:ff:ff:ff:ff
178: rename178@veth4f39024: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:c0:a8:90:03 brd ff:ff:ff:ff:ff:ff
179: veth4f39024@rename178: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default 
    link/ether ee:c2:fb:1d:d0:32 brd ff:ff:ff:ff:ff:ff
180: rename180@veth98207c0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:ac:17:00:03 brd ff:ff:ff:ff:ff:ff
181: veth98207c0@rename180: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state LOWERLAYERDOWN group default 
    link/ether 2e:90:3f:6e:ce:7f brd ff:ff:ff:ff:ff:ff
183: vethe9bdfbc@if182: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state UP group default 
    link/ether 7a:e2:07:a8:95:54 brd ff:ff:ff:ff:ff:ff link-netnsid 2
184: br-5d3074306e5d: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:19:56:ec:e2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.192.1/20 brd 192.168.207.255 scope global br-5d3074306e5d
       valid_lft forever preferred_lft forever
186: vethf48d976@if185: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-5d3074306e5d state UP group default 
    link/ether 66:cd:fc:b7:ef:d9 brd ff:ff:ff:ff:ff:ff link-netnsid 4
188: veth28c2fb2@if187: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-5d3074306e5d state UP group default 
    link/ether 4e:27:53:66:44:0b brd ff:ff:ff:ff:ff:ff link-netnsid 3
190: veth10f497e@if189: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state UP group default 
    link/ether 36:a8:c6:e0:43:b1 brd ff:ff:ff:ff:ff:ff link-netnsid 10
192: veth9b50fd5@if191: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-5d3074306e5d state UP group default 
    link/ether 6e:f8:9e:8f:5a:5d brd ff:ff:ff:ff:ff:ff link-netnsid 10
193: br-89c092226a24: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:bd:fc:ac:c5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.208.1/20 brd 192.168.223.255 scope global br-89c092226a24
       valid_lft forever preferred_lft forever
195: vethe725dbd@if194: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-89c092226a24 state UP group default 
    link/ether 3e:ca:ba:f3:1b:53 brd ff:ff:ff:ff:ff:ff link-netnsid 1
197: veth5e7ae24@if196: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-89c092226a24 state UP group default 
    link/ether 4e:08:e1:28:d0:2d brd ff:ff:ff:ff:ff:ff link-netnsid 13
199: vethbc54c8c@if198: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-ec6d8fe88feb state UP group default 
    link/ether 76:80:13:4b:a6:df brd ff:ff:ff:ff:ff:ff link-netnsid 13
pi@raspberrypi:/etc/ssh$

Dermac · September 27, 2023, 1:54pm

pi@raspberrypi:/etc/ssh$ ip route show table all
default via 192.168.178.1 dev eth0 src 192.168.178.11 metric 202 
10.253.3.0/24 dev wg0 proto kernel scope link src 10.253.3.1 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
172.18.0.0/16 dev br-7cc1c3146ff6 proto kernel scope link src 172.18.0.1 linkdown 
172.20.0.0/24 dev br-fd0a5edcc3db proto kernel scope link src 172.20.0.1 
172.22.0.0/16 dev br-de29c2d1df31 proto kernel scope link src 172.22.0.1 linkdown 
172.23.0.0/24 dev br-ec6d8fe88feb proto kernel scope link src 172.23.0.1 
172.24.0.0/16 dev br-d25bebd3e424 proto kernel scope link src 172.24.0.1 
172.26.0.0/16 dev br-34aed491bd19 proto kernel scope link src 172.26.0.1 linkdown 
172.29.0.0/16 dev br-fd87f744bc1f proto kernel scope link src 172.29.0.1 linkdown 
192.168.0.0/20 dev br-3e25fab3da7e proto kernel scope link src 192.168.0.1 
192.168.32.0/20 dev br-d0ccf4315e3d proto kernel scope link src 192.168.32.1 linkdown 
192.168.80.0/20 dev br-2fabfd2b30dc proto kernel scope link src 192.168.80.1 
192.168.96.0/20 dev br-d0f496bdbec5 proto kernel scope link src 192.168.96.1 linkdown 
192.168.160.0/20 dev br-90c10ed21bd7 proto kernel scope link src 192.168.160.1 linkdown 
192.168.178.0/24 dev eth0 proto dhcp scope link src 192.168.178.11 metric 202 
192.168.192.0/20 dev br-5d3074306e5d proto kernel scope link src 192.168.192.1 
192.168.208.0/20 dev br-89c092226a24 proto kernel scope link src 192.168.208.1 
192.168.240.0/20 dev br-5fd0f43922e0 proto kernel scope link src 192.168.240.1 linkdown 
broadcast 10.253.3.0 dev wg0 table local proto kernel scope link src 10.253.3.1 
local 10.253.3.1 dev wg0 table local proto kernel scope host src 10.253.3.1 
broadcast 10.253.3.255 dev wg0 table local proto kernel scope link src 10.253.3.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 172.17.0.0 dev docker0 table local proto kernel scope link src 172.17.0.1 linkdown 
local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1 
broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1 linkdown 
broadcast 172.18.0.0 dev br-7cc1c3146ff6 table local proto kernel scope link src 172.18.0.1 linkdown 
local 172.18.0.1 dev br-7cc1c3146ff6 table local proto kernel scope host src 172.18.0.1 
broadcast 172.18.255.255 dev br-7cc1c3146ff6 table local proto kernel scope link src 172.18.0.1 linkdown 
broadcast 172.20.0.0 dev br-fd0a5edcc3db table local proto kernel scope link src 172.20.0.1 
local 172.20.0.1 dev br-fd0a5edcc3db table local proto kernel scope host src 172.20.0.1 
broadcast 172.20.0.255 dev br-fd0a5edcc3db table local proto kernel scope link src 172.20.0.1 
broadcast 172.22.0.0 dev br-de29c2d1df31 table local proto kernel scope link src 172.22.0.1 linkdown 
local 172.22.0.1 dev br-de29c2d1df31 table local proto kernel scope host src 172.22.0.1 
broadcast 172.22.255.255 dev br-de29c2d1df31 table local proto kernel scope link src 172.22.0.1 linkdown 
broadcast 172.23.0.0 dev br-ec6d8fe88feb table local proto kernel scope link src 172.23.0.1 
local 172.23.0.1 dev br-ec6d8fe88feb table local proto kernel scope host src 172.23.0.1 
broadcast 172.23.0.255 dev br-ec6d8fe88feb table local proto kernel scope link src 172.23.0.1 
broadcast 172.24.0.0 dev br-d25bebd3e424 table local proto kernel scope link src 172.24.0.1 
local 172.24.0.1 dev br-d25bebd3e424 table local proto kernel scope host src 172.24.0.1 
broadcast 172.24.255.255 dev br-d25bebd3e424 table local proto kernel scope link src 172.24.0.1 
broadcast 172.26.0.0 dev br-34aed491bd19 table local proto kernel scope link src 172.26.0.1 linkdown 
local 172.26.0.1 dev br-34aed491bd19 table local proto kernel scope host src 172.26.0.1 
broadcast 172.26.255.255 dev br-34aed491bd19 table local proto kernel scope link src 172.26.0.1 linkdown 
broadcast 172.29.0.0 dev br-fd87f744bc1f table local proto kernel scope link src 172.29.0.1 linkdown 
local 172.29.0.1 dev br-fd87f744bc1f table local proto kernel scope host src 172.29.0.1 
broadcast 172.29.255.255 dev br-fd87f744bc1f table local proto kernel scope link src 172.29.0.1 linkdown 
broadcast 192.168.0.0 dev br-3e25fab3da7e table local proto kernel scope link src 192.168.0.1 
local 192.168.0.1 dev br-3e25fab3da7e table local proto kernel scope host src 192.168.0.1 
broadcast 192.168.15.255 dev br-3e25fab3da7e table local proto kernel scope link src 192.168.0.1 
broadcast 192.168.32.0 dev br-d0ccf4315e3d table local proto kernel scope link src 192.168.32.1 linkdown 
local 192.168.32.1 dev br-d0ccf4315e3d table local proto kernel scope host src 192.168.32.1 
broadcast 192.168.47.255 dev br-d0ccf4315e3d table local proto kernel scope link src 192.168.32.1 linkdown 
broadcast 192.168.80.0 dev br-2fabfd2b30dc table local proto kernel scope link src 192.168.80.1 
local 192.168.80.1 dev br-2fabfd2b30dc table local proto kernel scope host src 192.168.80.1 
broadcast 192.168.95.255 dev br-2fabfd2b30dc table local proto kernel scope link src 192.168.80.1 
broadcast 192.168.96.0 dev br-d0f496bdbec5 table local proto kernel scope link src 192.168.96.1 linkdown 
local 192.168.96.1 dev br-d0f496bdbec5 table local proto kernel scope host src 192.168.96.1 
broadcast 192.168.111.255 dev br-d0f496bdbec5 table local proto kernel scope link src 192.168.96.1 linkdown 
broadcast 192.168.160.0 dev br-90c10ed21bd7 table local proto kernel scope link src 192.168.160.1 linkdown 
local 192.168.160.1 dev br-90c10ed21bd7 table local proto kernel scope host src 192.168.160.1 
broadcast 192.168.175.255 dev br-90c10ed21bd7 table local proto kernel scope link src 192.168.160.1 linkdown 
broadcast 192.168.178.0 dev eth0 table local proto kernel scope link src 192.168.178.11 
local 192.168.178.11 dev eth0 table local proto kernel scope host src 192.168.178.11 
broadcast 192.168.178.255 dev eth0 table local proto kernel scope link src 192.168.178.11 
broadcast 192.168.192.0 dev br-5d3074306e5d table local proto kernel scope link src 192.168.192.1 
local 192.168.192.1 dev br-5d3074306e5d table local proto kernel scope host src 192.168.192.1 
broadcast 192.168.207.255 dev br-5d3074306e5d table local proto kernel scope link src 192.168.192.1 
broadcast 192.168.208.0 dev br-89c092226a24 table local proto kernel scope link src 192.168.208.1 
local 192.168.208.1 dev br-89c092226a24 table local proto kernel scope host src 192.168.208.1 
broadcast 192.168.223.255 dev br-89c092226a24 table local proto kernel scope link src 192.168.208.1 
broadcast 192.168.240.0 dev br-5fd0f43922e0 table local proto kernel scope link src 192.168.240.1 linkdown 
local 192.168.240.1 dev br-5fd0f43922e0 table local proto kernel scope host src 192.168.240.1 
broadcast 192.168.255.255 dev br-5fd0f43922e0 table local proto kernel scope link src 192.168.240.1 linkdown 
pi@raspberrypi:/etc/ssh$

pi@raspberrypi:/etc/ssh$ ip rule show
0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default

pi@raspberrypi:/etc/ssh$ sudo iptables-save
# Generated by xtables-save v1.8.2 on Wed Sep 27 15:41:46 2023
*nat
:PREROUTING ACCEPT [526723:43546784]
:INPUT ACCEPT [40216:15142593]
:POSTROUTING ACCEPT [210899:17567811]
:OUTPUT ACCEPT [282510:30621789]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 192.168.208.0/20 ! -o br-89c092226a24 -j MASQUERADE
-A POSTROUTING -s 192.168.192.0/20 ! -o br-5d3074306e5d -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 192.168.32.0/20 ! -o br-d0ccf4315e3d -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-7cc1c3146ff6 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/20 ! -o br-3e25fab3da7e -j MASQUERADE
-A POSTROUTING -s 172.20.0.0/24 ! -o br-fd0a5edcc3db -j MASQUERADE
-A POSTROUTING -s 172.23.0.0/24 ! -o br-ec6d8fe88feb -j MASQUERADE
-A POSTROUTING -s 172.29.0.0/16 ! -o br-fd87f744bc1f -j MASQUERADE
-A POSTROUTING -s 192.168.160.0/20 ! -o br-90c10ed21bd7 -j MASQUERADE
-A POSTROUTING -s 192.168.240.0/20 ! -o br-5fd0f43922e0 -j MASQUERADE
-A POSTROUTING -s 192.168.96.0/20 ! -o br-d0f496bdbec5 -j MASQUERADE
-A POSTROUTING -s 172.26.0.0/16 ! -o br-34aed491bd19 -j MASQUERADE
-A POSTROUTING -s 192.168.80.0/20 ! -o br-2fabfd2b30dc -j MASQUERADE
-A POSTROUTING -s 172.22.0.0/16 ! -o br-de29c2d1df31 -j MASQUERADE
-A POSTROUTING -s 172.24.0.0/16 ! -o br-d25bebd3e424 -j MASQUERADE
-A POSTROUTING -s 172.23.0.0/16 ! -o br-5c91b467c66d -j MASQUERADE
-A POSTROUTING -s 172.23.0.3/32 -d 172.23.0.3/32 -p tcp -m tcp --dport 9001 -j MASQUERADE
-A POSTROUTING -s 172.23.0.3/32 -d 172.23.0.3/32 -p tcp -m tcp --dport 1883 -j MASQUERADE
-A POSTROUTING -s 172.23.0.4/32 -d 172.23.0.4/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.23.0.5/32 -d 172.23.0.5/32 -p tcp -m tcp --dport 3000 -j MASQUERADE
-A POSTROUTING -s 172.23.0.6/32 -d 172.23.0.6/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.23.0.8/32 -d 172.23.0.8/32 -p tcp -m tcp --dport 5432 -j MASQUERADE
-A POSTROUTING -s 172.23.0.9/32 -d 172.23.0.9/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.23.0.6/32 -d 172.23.0.6/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.23.0.6/32 -d 172.23.0.6/32 -p udp -m udp --dport 67 -j MASQUERADE
-A POSTROUTING -s 172.23.0.6/32 -d 172.23.0.6/32 -p tcp -m tcp --dport 53 -j MASQUERADE
-A POSTROUTING -s 172.23.0.6/32 -d 172.23.0.6/32 -p udp -m udp --dport 53 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.24.0.2/32 -d 172.24.0.2/32 -p tcp -m tcp --dport 5432 -j MASQUERADE
-A POSTROUTING -s 192.168.80.2/32 -d 192.168.80.2/32 -p tcp -m tcp --dport 19445 -j MASQUERADE
-A POSTROUTING -s 192.168.80.2/32 -d 192.168.80.2/32 -p tcp -m tcp --dport 19444 -j MASQUERADE
-A POSTROUTING -s 192.168.80.2/32 -d 192.168.80.2/32 -p tcp -m tcp --dport 19400 -j MASQUERADE
-A POSTROUTING -s 192.168.80.2/32 -d 192.168.80.2/32 -p tcp -m tcp --dport 8090 -j MASQUERADE
-A POSTROUTING -s 192.168.80.2/32 -d 192.168.80.2/32 -p tcp -m tcp --dport 22 -j MASQUERADE
-A POSTROUTING -s 172.23.0.5/32 -d 172.23.0.5/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.23.0.5/32 -d 172.23.0.5/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 192.168.0.2/32 -d 192.168.0.2/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.23.0.5/32 -d 172.23.0.5/32 -p udp -m udp --dport 67 -j MASQUERADE
-A POSTROUTING -s 172.23.0.5/32 -d 172.23.0.5/32 -p tcp -m tcp --dport 53 -j MASQUERADE
-A POSTROUTING -s 172.23.0.5/32 -d 172.23.0.5/32 -p udp -m udp --dport 53 -j MASQUERADE
-A POSTROUTING -s 172.24.0.3/32 -d 172.24.0.3/32 -p tcp -m tcp --dport 9001 -j MASQUERADE
-A POSTROUTING -s 172.24.0.3/32 -d 172.24.0.3/32 -p tcp -m tcp --dport 1883 -j MASQUERADE
-A POSTROUTING -s 172.24.0.5/32 -d 172.24.0.5/32 -p tcp -m tcp --dport 5432 -j MASQUERADE
-A POSTROUTING -s 172.24.0.6/32 -d 172.24.0.6/32 -p tcp -m tcp --dport 3000 -j MASQUERADE
-A POSTROUTING -s 172.23.0.50/32 -d 172.23.0.50/32 -p tcp -m tcp --dport 1443 -j MASQUERADE
-A POSTROUTING -s 172.23.0.50/32 -d 172.23.0.50/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.23.0.50/32 -d 172.23.0.50/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.23.0.2/32 -d 172.23.0.2/32 -p tcp -m tcp --dport 8000 -j MASQUERADE
-A POSTROUTING -s 192.168.208.2/32 -d 192.168.208.2/32 -p tcp -m tcp --dport 22 -j MASQUERADE
-A POSTROUTING -s 192.168.208.3/32 -d 192.168.208.3/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i br-89c092226a24 -j RETURN
-A DOCKER -i br-5d3074306e5d -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-d0ccf4315e3d -j RETURN
-A DOCKER -i br-7cc1c3146ff6 -j RETURN
-A DOCKER -i br-3e25fab3da7e -j RETURN
-A DOCKER -i br-fd0a5edcc3db -j RETURN
-A DOCKER -i br-ec6d8fe88feb -j RETURN
-A DOCKER -i br-fd87f744bc1f -j RETURN
-A DOCKER -i br-90c10ed21bd7 -j RETURN
-A DOCKER -i br-5fd0f43922e0 -j RETURN
-A DOCKER -i br-d0f496bdbec5 -j RETURN
-A DOCKER -i br-34aed491bd19 -j RETURN
-A DOCKER -i br-2fabfd2b30dc -j RETURN
-A DOCKER -i br-de29c2d1df31 -j RETURN
-A DOCKER -i br-d25bebd3e424 -j RETURN
-A DOCKER ! -i br-2fabfd2b30dc -p tcp -m tcp --dport 19445 -j DNAT --to-destination 192.168.80.2:19445
-A DOCKER ! -i br-d25bebd3e424 -p tcp -m tcp --dport 35432 -j DNAT --to-destination 172.24.0.2:5432
-A DOCKER ! -i br-2fabfd2b30dc -p tcp -m tcp --dport 19444 -j DNAT --to-destination 192.168.80.2:19444
-A DOCKER ! -i br-2fabfd2b30dc -p tcp -m tcp --dport 19400 -j DNAT --to-destination 192.168.80.2:19400
-A DOCKER ! -i br-2fabfd2b30dc -p tcp -m tcp --dport 8090 -j DNAT --to-destination 192.168.80.2:8090
-A DOCKER ! -i br-2fabfd2b30dc -p tcp -m tcp --dport 19222 -j DNAT --to-destination 192.168.80.2:22
-A DOCKER ! -i br-ec6d8fe88feb -p tcp -m tcp --dport 5443 -j DNAT --to-destination 172.23.0.5:443
-A DOCKER ! -i br-ec6d8fe88feb -p tcp -m tcp --dport 580 -j DNAT --to-destination 172.23.0.5:80
-A DOCKER ! -i br-3e25fab3da7e -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.0.2:8080
-A DOCKER ! -i br-ec6d8fe88feb -p udp -m udp --dport 67 -j DNAT --to-destination 172.23.0.5:67
-A DOCKER ! -i br-ec6d8fe88feb -p tcp -m tcp --dport 53 -j DNAT --to-destination 172.23.0.5:53
-A DOCKER ! -i br-ec6d8fe88feb -p udp -m udp --dport 53 -j DNAT --to-destination 172.23.0.5:53
-A DOCKER ! -i br-d25bebd3e424 -p tcp -m tcp --dport 9001 -j DNAT --to-destination 172.24.0.3:9001
-A DOCKER ! -i br-d25bebd3e424 -p tcp -m tcp --dport 1883 -j DNAT --to-destination 172.24.0.3:1883
-A DOCKER ! -i br-d25bebd3e424 -p tcp -m tcp --dport 25432 -j DNAT --to-destination 172.24.0.5:5432
-A DOCKER ! -i br-d25bebd3e424 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 172.24.0.6:3000
-A DOCKER ! -i br-ec6d8fe88feb -p tcp -m tcp --dport 1443 -j DNAT --to-destination 172.23.0.50:1443
-A DOCKER ! -i br-ec6d8fe88feb -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.23.0.50:443
-A DOCKER ! -i br-ec6d8fe88feb -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.23.0.50:80
-A DOCKER ! -i br-ec6d8fe88feb -p tcp -m tcp --dport 666 -j DNAT --to-destination 172.23.0.2:8000
-A DOCKER ! -i br-89c092226a24 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.208.2:22
-A DOCKER ! -i br-89c092226a24 -p tcp -m tcp --dport 7423 -j DNAT --to-destination 192.168.208.3:8080
COMMIT
# Completed on Wed Sep 27 15:41:46 2023
# Generated by xtables-save v1.8.2 on Wed Sep 27 15:41:46 2023
*filter
:INPUT ACCEPT [3079028:1591788205]
:FORWARD DROP [189:12622]
:OUTPUT ACCEPT [4430002:2116403435]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-USER - [0:0]
:f2b-sshd - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
-A INPUT -p tcp -j f2b-sshd
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-89c092226a24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-89c092226a24 -j DOCKER
-A FORWARD -i br-89c092226a24 ! -o br-89c092226a24 -j ACCEPT
-A FORWARD -i br-89c092226a24 -o br-89c092226a24 -j ACCEPT
-A FORWARD -o br-5d3074306e5d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-5d3074306e5d -j DOCKER
-A FORWARD -i br-5d3074306e5d ! -o br-5d3074306e5d -j ACCEPT
-A FORWARD -i br-5d3074306e5d -o br-5d3074306e5d -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-d0ccf4315e3d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-d0ccf4315e3d -j DOCKER
-A FORWARD -i br-d0ccf4315e3d ! -o br-d0ccf4315e3d -j ACCEPT
-A FORWARD -i br-d0ccf4315e3d -o br-d0ccf4315e3d -j ACCEPT
-A FORWARD -o br-7cc1c3146ff6 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-7cc1c3146ff6 -j DOCKER
-A FORWARD -i br-7cc1c3146ff6 ! -o br-7cc1c3146ff6 -j ACCEPT
-A FORWARD -i br-7cc1c3146ff6 -o br-7cc1c3146ff6 -j ACCEPT
-A FORWARD -o br-3e25fab3da7e -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-3e25fab3da7e -j DOCKER
-A FORWARD -i br-3e25fab3da7e ! -o br-3e25fab3da7e -j ACCEPT
-A FORWARD -i br-3e25fab3da7e -o br-3e25fab3da7e -j ACCEPT
-A FORWARD -o br-fd0a5edcc3db -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-fd0a5edcc3db -j DOCKER
-A FORWARD -i br-fd0a5edcc3db ! -o br-fd0a5edcc3db -j ACCEPT
-A FORWARD -i br-fd0a5edcc3db -o br-fd0a5edcc3db -j ACCEPT
-A FORWARD -o br-ec6d8fe88feb -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-ec6d8fe88feb -j DOCKER
-A FORWARD -i br-ec6d8fe88feb ! -o br-ec6d8fe88feb -j ACCEPT
-A FORWARD -i br-ec6d8fe88feb -o br-ec6d8fe88feb -j ACCEPT
-A FORWARD -o br-fd87f744bc1f -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-fd87f744bc1f -j DOCKER
-A FORWARD -i br-fd87f744bc1f ! -o br-fd87f744bc1f -j ACCEPT
-A FORWARD -i br-fd87f744bc1f -o br-fd87f744bc1f -j ACCEPT
-A FORWARD -o br-90c10ed21bd7 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-90c10ed21bd7 -j DOCKER
-A FORWARD -i br-90c10ed21bd7 ! -o br-90c10ed21bd7 -j ACCEPT
-A FORWARD -i br-90c10ed21bd7 -o br-90c10ed21bd7 -j ACCEPT
-A FORWARD -o br-5fd0f43922e0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-5fd0f43922e0 -j DOCKER
-A FORWARD -i br-5fd0f43922e0 ! -o br-5fd0f43922e0 -j ACCEPT
-A FORWARD -i br-5fd0f43922e0 -o br-5fd0f43922e0 -j ACCEPT
-A FORWARD -o br-d0f496bdbec5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-d0f496bdbec5 -j DOCKER
-A FORWARD -i br-d0f496bdbec5 ! -o br-d0f496bdbec5 -j ACCEPT
-A FORWARD -i br-d0f496bdbec5 -o br-d0f496bdbec5 -j ACCEPT
-A FORWARD -o br-34aed491bd19 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-34aed491bd19 -j DOCKER
-A FORWARD -i br-34aed491bd19 ! -o br-34aed491bd19 -j ACCEPT
-A FORWARD -i br-34aed491bd19 -o br-34aed491bd19 -j ACCEPT
-A FORWARD -o br-2fabfd2b30dc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-2fabfd2b30dc -j DOCKER
-A FORWARD -i br-2fabfd2b30dc ! -o br-2fabfd2b30dc -j ACCEPT
-A FORWARD -i br-2fabfd2b30dc -o br-2fabfd2b30dc -j ACCEPT
-A FORWARD -o br-de29c2d1df31 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-de29c2d1df31 -j DOCKER
-A FORWARD -i br-de29c2d1df31 ! -o br-de29c2d1df31 -j ACCEPT
-A FORWARD -i br-de29c2d1df31 -o br-de29c2d1df31 -j ACCEPT
-A FORWARD -o br-d25bebd3e424 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-d25bebd3e424 -j DOCKER
-A FORWARD -i br-d25bebd3e424 ! -o br-d25bebd3e424 -j ACCEPT
-A FORWARD -i br-d25bebd3e424 -o br-d25bebd3e424 -j ACCEPT
-A FORWARD -o br-5c91b467c66d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-5c91b467c66d -j DOCKER
-A FORWARD -i br-5c91b467c66d ! -o br-5c91b467c66d -j ACCEPT
-A FORWARD -i br-5c91b467c66d -o br-5c91b467c66d -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -o wg0 -j ACCEPT
-A DOCKER -d 172.24.0.2/32 ! -i br-d25bebd3e424 -o br-d25bebd3e424 -p tcp -m tcp --dport 5432 -j ACCEPT
-A DOCKER -d 192.168.80.2/32 ! -i br-2fabfd2b30dc -o br-2fabfd2b30dc -p tcp -m tcp --dport 19445 -j ACCEPT
-A DOCKER -d 192.168.80.2/32 ! -i br-2fabfd2b30dc -o br-2fabfd2b30dc -p tcp -m tcp --dport 19444 -j ACCEPT
-A DOCKER -d 192.168.80.2/32 ! -i br-2fabfd2b30dc -o br-2fabfd2b30dc -p tcp -m tcp --dport 19400 -j ACCEPT
-A DOCKER -d 192.168.80.2/32 ! -i br-2fabfd2b30dc -o br-2fabfd2b30dc -p tcp -m tcp --dport 8090 -j ACCEPT
-A DOCKER -d 192.168.80.2/32 ! -i br-2fabfd2b30dc -o br-2fabfd2b30dc -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER -d 172.23.0.5/32 ! -i br-ec6d8fe88feb -o br-ec6d8fe88feb -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.23.0.5/32 ! -i br-ec6d8fe88feb -o br-ec6d8fe88feb -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 192.168.0.2/32 ! -i br-3e25fab3da7e -o br-3e25fab3da7e -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.23.0.5/32 ! -i br-ec6d8fe88feb -o br-ec6d8fe88feb -p udp -m udp --dport 67 -j ACCEPT
-A DOCKER -d 172.23.0.5/32 ! -i br-ec6d8fe88feb -o br-ec6d8fe88feb -p tcp -m tcp --dport 53 -j ACCEPT
-A DOCKER -d 172.23.0.5/32 ! -i br-ec6d8fe88feb -o br-ec6d8fe88feb -p udp -m udp --dport 53 -j ACCEPT
-A DOCKER -d 172.24.0.3/32 ! -i br-d25bebd3e424 -o br-d25bebd3e424 -p tcp -m tcp --dport 9001 -j ACCEPT
-A DOCKER -d 172.24.0.3/32 ! -i br-d25bebd3e424 -o br-d25bebd3e424 -p tcp -m tcp --dport 1883 -j ACCEPT
-A DOCKER -d 172.24.0.5/32 ! -i br-d25bebd3e424 -o br-d25bebd3e424 -p tcp -m tcp --dport 5432 -j ACCEPT
-A DOCKER -d 172.24.0.6/32 ! -i br-d25bebd3e424 -o br-d25bebd3e424 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER -d 172.23.0.50/32 ! -i br-ec6d8fe88feb -o br-ec6d8fe88feb -p tcp -m tcp --dport 1443 -j ACCEPT
-A DOCKER -d 172.23.0.50/32 ! -i br-ec6d8fe88feb -o br-ec6d8fe88feb -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.23.0.50/32 ! -i br-ec6d8fe88feb -o br-ec6d8fe88feb -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.23.0.2/32 ! -i br-ec6d8fe88feb -o br-ec6d8fe88feb -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 192.168.208.2/32 ! -i br-89c092226a24 -o br-89c092226a24 -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER -d 192.168.208.3/32 ! -i br-89c092226a24 -o br-89c092226a24 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-89c092226a24 ! -o br-89c092226a24 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-5d3074306e5d ! -o br-5d3074306e5d -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-d0ccf4315e3d ! -o br-d0ccf4315e3d -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-7cc1c3146ff6 ! -o br-7cc1c3146ff6 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-3e25fab3da7e ! -o br-3e25fab3da7e -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-fd0a5edcc3db ! -o br-fd0a5edcc3db -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-ec6d8fe88feb ! -o br-ec6d8fe88feb -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-fd87f744bc1f ! -o br-fd87f744bc1f -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-90c10ed21bd7 ! -o br-90c10ed21bd7 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-5fd0f43922e0 ! -o br-5fd0f43922e0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-d0f496bdbec5 ! -o br-d0f496bdbec5 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-34aed491bd19 ! -o br-34aed491bd19 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-2fabfd2b30dc ! -o br-2fabfd2b30dc -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-de29c2d1df31 ! -o br-de29c2d1df31 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-d25bebd3e424 ! -o br-d25bebd3e424 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-USER -j RETURN
-A f2b-sshd -s 35.189.172.158/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 182.52.90.164/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 47.74.0.196/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 160.124.140.147/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 109.196.55.45/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 198.211.120.99/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 200.89.159.190/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 190.128.230.206/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-89c092226a24 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-5d3074306e5d -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-d0ccf4315e3d -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-7cc1c3146ff6 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-3e25fab3da7e -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-fd0a5edcc3db -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-ec6d8fe88feb -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-fd87f744bc1f -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-90c10ed21bd7 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-5fd0f43922e0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-d0f496bdbec5 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-34aed491bd19 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-2fabfd2b30dc -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-de29c2d1df31 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-d25bebd3e424 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
COMMIT
# Completed on Wed Sep 27 15:41:46 2023
pi@raspberrypi:/etc/ssh$

Dermac · September 27, 2023, 1:54pm

pi@raspberrypi:/etc/ssh$ netstat -l -n -p
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:19444           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:19445           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:19222           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:3000            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:25432           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:666             0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:5050            0.0.0.0:*               LISTEN      9474/python3        
tcp        0      0 0.0.0.0:8090            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:8123            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:1883            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:3422            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:7423            0.0.0.0:*               LISTEN      -                   
tcp        0      0 192.168.178.11:40000    0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:1443            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:5443            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:580             0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:19400           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:35432           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:9001            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::8123                 :::*                    LISTEN      -                   
tcp6       0      0 :::445                  :::*                    LISTEN      -                   
tcp6       0      0 :::3422                 :::*                    LISTEN      -                   
tcp6       0      0 :::139                  :::*                    LISTEN      -                   
udp        0      0 0.0.0.0:44434           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:54748           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:53              0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:67              0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:58984           0.0.0.0:*                           -                   
udp        0      0 192.168.223.255:137     0.0.0.0:*                           -                   
udp        0      0 192.168.208.1:137       0.0.0.0:*                           -                   
udp        0      0 192.168.207.255:137     0.0.0.0:*                           -                   
udp        0      0 192.168.192.1:137       0.0.0.0:*                           -                   
udp        0      0 192.168.255.255:137     0.0.0.0:*                           -                   
udp        0      0 192.168.240.1:137       0.0.0.0:*                           -                   
udp        0      0 192.168.175.255:137     0.0.0.0:*                           -                   
udp        0      0 192.168.160.1:137       0.0.0.0:*                           -                   
udp        0      0 192.168.111.255:137     0.0.0.0:*                           -                   
udp        0      0 192.168.96.1:137        0.0.0.0:*                           -                   
udp        0      0 192.168.95.255:137      0.0.0.0:*                           -                   
udp        0      0 192.168.80.1:137        0.0.0.0:*                           -                   
udp        0      0 192.168.47.255:137      0.0.0.0:*                           -                   
udp        0      0 192.168.32.1:137        0.0.0.0:*                           -                   
udp        0      0 192.168.15.255:137      0.0.0.0:*                           -                   
udp        0      0 192.168.0.1:137         0.0.0.0:*                           -                   
udp        0      0 172.29.255.255:137      0.0.0.0:*                           -                   
udp        0      0 172.29.0.1:137          0.0.0.0:*                           -                   
udp        0      0 172.26.255.255:137      0.0.0.0:*                           -                   
udp        0      0 172.26.0.1:137          0.0.0.0:*                           -                   
udp        0      0 172.24.255.255:137      0.0.0.0:*                           -                   
udp        0      0 172.24.0.1:137          0.0.0.0:*                           -                   
udp        0      0 172.23.0.255:137        0.0.0.0:*                           -                   
udp        0      0 172.23.0.1:137          0.0.0.0:*                           -                   
udp        0      0 172.22.255.255:137      0.0.0.0:*                           -                   
udp        0      0 172.22.0.1:137          0.0.0.0:*                           -                   
udp        0      0 172.20.0.255:137        0.0.0.0:*                           -                   
udp        0      0 172.20.0.1:137          0.0.0.0:*                           -                   
udp        0      0 172.18.255.255:137      0.0.0.0:*                           -                   
udp        0      0 172.18.0.1:137          0.0.0.0:*                           -                   
udp        0      0 172.17.255.255:137      0.0.0.0:*                           -                   
udp        0      0 172.17.0.1:137          0.0.0.0:*                           -                   
udp        0      0 192.168.178.255:137     0.0.0.0:*                           -                   
udp        0      0 192.168.178.11:137      0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:137             0.0.0.0:*                           -                   
udp        0      0 192.168.223.255:138     0.0.0.0:*                           -                   
udp        0      0 192.168.208.1:138       0.0.0.0:*                           -                   
udp        0      0 192.168.207.255:138     0.0.0.0:*                           -                   
udp        0      0 192.168.192.1:138       0.0.0.0:*                           -                   
udp        0      0 192.168.255.255:138     0.0.0.0:*                           -                   
udp        0      0 192.168.240.1:138       0.0.0.0:*                           -                   
udp        0      0 192.168.175.255:138     0.0.0.0:*                           -                   
udp        0      0 192.168.160.1:138       0.0.0.0:*                           -                   
udp        0      0 192.168.111.255:138     0.0.0.0:*                           -                   
udp        0      0 192.168.96.1:138        0.0.0.0:*                           -                   
udp        0      0 192.168.95.255:138      0.0.0.0:*                           -                   
udp        0      0 192.168.80.1:138        0.0.0.0:*                           -                   
udp        0      0 192.168.47.255:138      0.0.0.0:*                           -                   
udp        0      0 192.168.32.1:138        0.0.0.0:*                           -                   
udp        0      0 192.168.15.255:138      0.0.0.0:*                           -                   
udp        0      0 192.168.0.1:138         0.0.0.0:*                           -                   
udp        0      0 172.29.255.255:138      0.0.0.0:*                           -                   
udp        0      0 172.29.0.1:138          0.0.0.0:*                           -                   
udp        0      0 172.26.255.255:138      0.0.0.0:*                           -                   
udp        0      0 172.26.0.1:138          0.0.0.0:*                           -                   
udp        0      0 172.24.255.255:138      0.0.0.0:*                           -                   
udp        0      0 172.24.0.1:138          0.0.0.0:*                           -                   
udp        0      0 172.23.0.255:138        0.0.0.0:*                           -                   
udp        0      0 172.23.0.1:138          0.0.0.0:*                           -                   
udp        0      0 172.22.255.255:138      0.0.0.0:*                           -                   
udp        0      0 172.22.0.1:138          0.0.0.0:*                           -                   
udp        0      0 172.20.0.255:138        0.0.0.0:*                           -                   
udp        0      0 172.20.0.1:138          0.0.0.0:*                           -                   
udp        0      0 172.18.255.255:138      0.0.0.0:*                           -                   
udp        0      0 172.18.0.1:138          0.0.0.0:*                           -                   
udp        0      0 172.17.255.255:138      0.0.0.0:*                           -                   
udp        0      0 172.17.0.1:138          0.0.0.0:*                           -                   
udp        0      0 192.168.178.255:138     0.0.0.0:*                           -                   
udp        0      0 192.168.178.11:138      0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:138             0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:51900           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:53957           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:43865           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           -                   
udp6       0      0 :::36971                :::*                                -                   
udp6       0      0 :::51900                :::*                                -                   
udp6       0      0 :::5353                 :::*                                -                   
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  2      [ ACC ]     STREAM     LISTENING     19559    -                    /run/haproxy/admin.sock.708.tmp
unix  2      [ ACC ]     STREAM     LISTENING     7410059  13190/systemd        /run/user/1000/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     7410066  13190/systemd        /run/user/1000/gnupg/S.dirmngr
unix  2      [ ACC ]     STREAM     LISTENING     7410067  13190/systemd        /run/user/1000/gnupg/S.gpg-agent.extra
unix  2      [ ACC ]     STREAM     LISTENING     7410068  13190/systemd        /run/user/1000/gnupg/S.gpg-agent
unix  2      [ ACC ]     STREAM     LISTENING     7410069  13190/systemd        /run/user/1000/gnupg/S.gpg-agent.ssh
unix  2      [ ACC ]     STREAM     LISTENING     7410070  13190/systemd        /run/user/1000/gnupg/S.gpg-agent.browser
unix  2      [ ACC ]     STREAM     LISTENING     7410071  13190/systemd        /run/user/1000/bus
unix  2      [ ACC ]     STREAM     LISTENING     48006    -                    /run/containerd/s/b4587607c183420a4e2e970486dc68fd8bcdaf51e25cdd68766877a8761d1f22
unix  2      [ ACC ]     STREAM     LISTENING     35445    -                    /run/containerd/s/a40a08b52a28d7b8e60e517c1cfd5f76c82afd721e00f7e8510aec2a1199ed7c
unix  2      [ ACC ]     STREAM     LISTENING     21603    -                    /run/containerd/containerd.sock.ttrpc
unix  2      [ ACC ]     STREAM     LISTENING     21606    -                    /run/containerd/containerd.sock
unix  2      [ ACC ]     STREAM     LISTENING     7060363  -                    /run/containerd/s/eb2e6136302b8d2ea8c6f50c76a0c912cb80a2979c6950393f5717f6cce2d4e2
unix  2      [ ACC ]     STREAM     LISTENING     49466    -                    /run/containerd/s/2bfe0eccfa7da41f539e5d2ef2de3a697bf703bf399b34bc8e778f7fa903c2c5
unix  2      [ ACC ]     STREAM     LISTENING     19311    -                    /var/run/samba/nmbd/unexpected
unix  2      [ ACC ]     STREAM     LISTENING     49480    -                    /run/containerd/s/b9da2e6ec84ec1188f6cca64abf9fa0c9b7c0b117d0b21ab547c9753d5ab2f25
unix  2      [ ACC ]     STREAM     LISTENING     11484    -                    /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     22540    -                    /var/run/docker/metrics.sock
unix  2      [ ACC ]     STREAM     LISTENING     7060422  -                    /run/containerd/s/ccc34e07e471bd315315fb87b2b89d40c0862f222d4b7795f68fa66950d629c1
unix  2      [ ACC ]     SEQPACKET  LISTENING     11499    -                    /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     11501    -                    /run/systemd/fsck.progress
unix  2      [ ACC ]     STREAM     LISTENING     11506    -                    /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     38301    -                    /run/containerd/s/c686f34655e5aac6174bb3c6a64596a5d41468141c71be8daa1316dc4a729f98
unix  2      [ ACC ]     STREAM     LISTENING     33108    -                    /run/containerd/s/ea4365b0184d9240e1dec8ae268256f7885d463d5639ab2f6cd6928aebb22090
unix  2      [ ACC ]     STREAM     LISTENING     6959819  -                    /run/containerd/s/ada399a5c2c50e1ed07216e0181c95a5010281c4b51a76fa6f3eec0a6a936a7a
unix  2      [ ACC ]     STREAM     LISTENING     51409    -                    /run/containerd/s/fea027c7453041433f2d9d6a3e621503c092fb392fc6ba6b79fce68275549a65
unix  2      [ ACC ]     STREAM     LISTENING     48032    -                    s
unix  2      [ ACC ]     STREAM     LISTENING     6963371  -                    /run/containerd/s/650a9d5cbca977f9791f10b727fe2eaaf9a630602b90167116d6fe3528d68daf
unix  2      [ ACC ]     STREAM     LISTENING     6963378  -                    /run/containerd/s/851be15d7c5088c7f37a6802cf3ead601d945ef85ce172a2f90b685dfe769409
unix  2      [ ACC ]     STREAM     LISTENING     14700    -                    /run/thd.socket
unix  2      [ ACC ]     STREAM     LISTENING     28541    -                    /var/run/docker/libnetwork/fb527ad2ef9b.sock
unix  2      [ ACC ]     STREAM     LISTENING     14703    -                    /run/avahi-daemon/socket
unix  2      [ ACC ]     STREAM     LISTENING     14709    -                    /var/run/docker.sock
unix  2      [ ACC ]     STREAM     LISTENING     14713    -                    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     6964505  -                    /run/containerd/s/6db1397a64012cbca3ae56aed5d9b7f60989bffb2a1f940ef84563a995687379
unix  2      [ ACC ]     STREAM     LISTENING     34550    -                    /run/containerd/s/2f343af7b19df652f9fa0de6c9e6b55eace4c8f631c08509f2195397215baac5
unix  2      [ ACC ]     STREAM     LISTENING     49332    -                    /run/containerd/s/d95d6e999013019519e31524df9356e4a72cd8981372134929e8a761c1138cc7
unix  2      [ ACC ]     STREAM     LISTENING     30531    -                    /run/containerd/s/1adddb33983b637d74aec16fb00d5c987942115f4006612cf6c500ca3b615609
unix  2      [ ACC ]     STREAM     LISTENING     47055    -                    /run/containerd/s/8c5c27bc2ecbd4865d1cc6769363ecfa196c04c0c126c515ef61712b4205b195
pi@raspberrypi:/etc/ssh$

pi@raspberrypi:/etc/ssh$ netstat -l -n -p | grep -e ssh
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
unix  2      [ ACC ]     STREAM     LISTENING     7410069  13190/systemd        /run/user/1000/gnupg/S.gpg-agent.ssh
pi@raspberrypi:/etc/ssh$

pi@raspberrypi:/etc/ssh$ ping  -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=14.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=12.5 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=118 time=12.3 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 12.284/13.055/14.382/0.942 ms
pi@raspberrypi:/etc/ssh$

pi@raspberrypi:/etc/ssh$ traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  192.168.178.1  0.429 ms  0.366 ms  0.368 ms
 2  192.168.2.1  1.188 ms  1.222 ms  1.283 ms
 3  62.155.246.24  13.808 ms  13.721 ms  13.659 ms
 4  217.5.70.18  13.728 ms 217.5.67.178  41.500 ms 217.0.198.10  15.410 ms
 5  87.128.238.134  15.540 ms  15.611 ms  16.493 ms
 6  * * *
 7  8.8.8.8  13.402 ms  13.758 ms  13.793 ms
pi@raspberrypi:/etc/ssh$

Thank you very much for your help, it has been invaluable.

vgaetera · September 27, 2023, 4:12pm

There's a lot of things, but I see nothing wrong at first glance.
Try running tcpdump directly on the RaspberryPi to capture the forwarded SSH traffic, however be sure to filter out unrelated traffic, e.g. you can connect from a different host, or by IPv6:

sudo tcpdump -evnni any tcp port 3422 and not ip6

Dermac · September 28, 2023, 7:39am

pi@raspberrypi:~ $ sudo tcpdump -evnni any tcp port 3422 and host not 192.168.178.103
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
09:36:11.949264  In e4:c3:2a:47:1a:7e ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 32019, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.57487 > 192.168.178.11.3422: Flags [S], cksum 0xb8a2 (correct), seq 477264612, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
09:36:12.960217  In e4:c3:2a:47:1a:7e ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 32054, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.57487 > 192.168.178.11.3422: Flags [S], cksum 0xb8a2 (correct), seq 477264612, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
09:36:14.960672  In e4:c3:2a:47:1a:7e ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 32071, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.57487 > 192.168.178.11.3422: Flags [S], cksum 0xb8a2 (correct), seq 477264612, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
09:36:18.969566  In e4:c3:2a:47:1a:7e ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 32106, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.57487 > 192.168.178.11.3422: Flags [S], cksum 0xb8a2 (correct), seq 477264612, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
09:36:26.981496  In e4:c3:2a:47:1a:7e ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 32148, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.220.57487 > 192.168.178.11.3422: Flags [S], cksum 0xb8a2 (correct), seq 477264612, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel
pi@raspberrypi:~ $

192.168.178.103 is the host I am connecting from. 192.168.2.220 is the host using the forward.

Should I be seeing outgoing packets here?

vgaetera · September 28, 2023, 11:08am

Yes, otherwise where else could it go.
Check ping and traceroute from the RaspberryPi to the client.
Then isolate the issue by stopping Docker and fail2ban and flushing iptables, nftables, IP sets.
Even if the issue persists, your runtime config should become much simpler to troubleshoot.