Port forwarding for ssh

Hi people.

I'm trying to forward ssh connections from anywhere on internet to my server behind OpenWrt router. It seats behind another router/antenae controlled by my ISP. Port on that seems open:

nmap -Pn 93.xx.xx.xx
...
22/tcp   filtered ssh
...

I added an iptables rule on OpenWrt like that:

iptables -t nat -A PREROUTING -i br-lan -p tcp -d 192.198.1.1 --dport 22 -j DNAT --to-destination 192.168.1.100:22

Also changed default dropbear port to something else.
I can ssh from local network to my server no problem, /etc/hosts.allow allows any IP.
what is curious (I'm a noob when it comes to networking) is that

nmap -Pn 192.168.1.100
...
22/tcp closed ssh
...

even though I'm connected to it through ssh from local network.

And I cannot ssh to it from outside.

What am I doing wrong? Are my interfaces in order in that iptables rule?

Use UCI or LUCI to create the forward rule. It's not recommended to directly interact with iptables.

Is the OpenWrt device configured as a router (with separated WAN and LAN networks), or as a dumb access point.

Gosh, sorry but not sure what you mean. WAN is on eth0.1 and LAN on br-lan if that's what you're asking about.
I've added rule through LUCI interface now:
Protocol -TCP
Source - wan:0.0.0.0/0:*
Via - device:0.0.0.0/:22
Destination - lan:192.168.1.100:22
Action - DNAT

Still no joy. If all is ok with those rules, perhaps it is my server setup that is faulty? But I can log in from lan and hosts.allow allows any IP, so what gives?

Also, should I tick that box in System->Administration 'Allow remote hosts to connect to local SSH forwarded ports '?

Better paste here your config:
uci show network; uci show firewall
Use preformatted text when pasting console output (the </> button)

Other than that the port 22 looks blocked from the internet, so I'd double check the forwarding on the ISP router.

Is the external router forwarding the port to the OpenWrt device? Have you seen the packets arriving using "tcpdump".

uci show network
network.eth0=switch
network.eth0.enable=1
network.eth0_0=switch_vlan
network.eth0_0.device=eth0
network.eth0_0.vlan=0
network.eth0_0.ports=0 1 2 3 5
network.eth0_1=switch_vlan
network.eth0_1.device=eth0
network.eth0_1.vlan=1
network.eth0_1.ports=4 5
network.loopback=interface
network.loopback.ifname=lo
network.loopback.proto=static
network.loopback.ipaddr=127.0.0.1
network.loopback.netmask=255.0.0.0
network.lan=interface
network.lan.type=bridge
network.lan.ifname=eth0.0
network.lan.proto=static
network.lan.ipaddr=192.168.1.1
network.lan.netmask=255.255.255.0
network.wan=interface
network.wan.ifname=eth0.1
network.wan.proto=dhcp

uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood=1
firewall.@defaults[0].input=ACCEPT
firewall.@defaults[0].output=ACCEPT
firewall.@defaults[0].forward=REJECT
firewall.@defaults[0].drop_invalid=1
firewall.@zone[0]=zone
firewall.@zone[0].name=lan
firewall.@zone[0].network=lan
firewall.@zone[0].input=ACCEPT
firewall.@zone[0].output=ACCEPT
firewall.@zone[0].forward=REJECT
firewall.@zone[1]=zone
firewall.@zone[1].name=wan
firewall.@zone[1].network=wan
firewall.@zone[1].input=REJECT
firewall.@zone[1].output=ACCEPT
firewall.@zone[1].forward=REJECT
firewall.@zone[1].masq=1
firewall.@zone[1].mtu_fix=1
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src=lan
firewall.@forwarding[0].dest=wan
firewall.@rule[0]=rule
firewall.@rule[0].name=Allow-DHCP-Renew
firewall.@rule[0].src=wan
firewall.@rule[0].proto=udp
firewall.@rule[0].dest_port=68
firewall.@rule[0].target=ACCEPT
firewall.@rule[0].family=ipv4
firewall.@rule[1]=rule
firewall.@rule[1].name=Allow-Ping
firewall.@rule[1].src=wan
firewall.@rule[1].proto=icmp
firewall.@rule[1].icmp_type=echo-request
firewall.@rule[1].family=ipv4
firewall.@rule[1].target=ACCEPT
firewall.@rule[2]=rule
firewall.@rule[2].name=Allow-DHCPv6
firewall.@rule[2].src=wan
firewall.@rule[2].proto=udp
firewall.@rule[2].src_ip=fe80::/10
firewall.@rule[2].src_port=547
firewall.@rule[2].dest_ip=fe80::/10
firewall.@rule[2].dest_port=546
firewall.@rule[2].family=ipv6
firewall.@rule[2].target=ACCEPT
firewall.@rule[3]=rule
firewall.@rule[3].name=Allow-ICMPv6-Input
firewall.@rule[3].src=wan
firewall.@rule[3].proto=icmp
firewall.@rule[3].icmp_type=echo-request destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type router-solicitation neighbour-solicitation
firewall.@rule[3].limit=1000/sec
firewall.@rule[3].family=ipv6
firewall.@rule[3].target=ACCEPT
firewall.@rule[4]=rule
firewall.@rule[4].name=Allow-ICMPv6-Forward
firewall.@rule[4].src=wan
firewall.@rule[4].dest=*
firewall.@rule[4].proto=icmp
firewall.@rule[4].icmp_type=echo-request destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type
firewall.@rule[4].limit=1000/sec
firewall.@rule[4].family=ipv6
firewall.@rule[4].target=ACCEPT
firewall.@include[0]=include
firewall.@include[0].path=/etc/firewall.user
firewall.@redirect[0]=redirect
firewall.@redirect[0]._name=server_rule
firewall.@redirect[0].src=wan
firewall.@redirect[0].proto=tcp
firewall.@redirect[0].src_dport=22
firewall.@redirect[0].dest_ip=192.168.1.189
firewall.@redirect[0].target=DNAT
firewall.@redirect[0].dest=lan
firewall.@redirect[0].dest_port=22

Eduperez,
Unfortunately ain't got tcpdump on the router - I'm afraid this is an antique with severely limited space and installing any extra packages is iffy. Any other way to test that?

It's a small ISP, one man kinda operation, I can give him a bell but he swore he turned ports on so I'd like to sure it is not my setup's fault before I do.

Ok, supposedly there is not enough space to install tcpdump permanently but I can install it to RAM...
I'm just doing that, could you tell me what I'm looking for, how to run it to test whether packets arrive to OpenWrt router?

Just run that (from manual) while trying to ssh:

tcpdump 'tcp port 22 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

and there is deafening silence. Are we sure that it is not settings on the OpenWrt keeping port closed?

It's not that complicated.
Type tcpdump -i eth0.1 -vn tcp port 22 and try to connect from outside. Tcpdump can catch packets before they hit the firewall, which is open by the way.

trendy,
when I try your command there's silence.
Just wanted to double check - I'm a noob - I'm trying to log in with hostname@public_ip_here,
hostname is present in LUCI->Network->Hostnames
that hostname appears in Luci->Network->DHCP and DNS -> active leases
does that seem right?

Is it the time when I call The Dude? The ISP?

Assign your OpenWrt router WAN port a static IP, from the same subnet you see now on that port. Note the address.
Configure port forwarding or DMZ on your ISP router, put the address from above step as a destination.
Forget about hostnames for a while and test ports from outside by using telnet xxx yyy where xxx is your ISP router WAN IP (that should be public) and yyy is TCP port you want to check. As mentioned earlier, check with tcpdump on OpenWrt WAN.

Please change the topic name to something like port forwarding for ssh to avoid confusion with forwarding function of ssh.

This is getting interesting. I run a remote debugging session with my ISP and well it looks like an issue with their antenae/router/router settings. Beyond my control. The antenae/router is Mikrotik lhg5. Does it make sense to post it's settings here?

The only thing we learned that when he was logged in to the said antenae and tried to ssh to the router, I could see incoming packets. When it's an ssh attempt from further away than the antenae, no incoming packets.

The odd thing is, if I connect laptop to a WAN port of the OpenWrt, get rid of the routing rule, set the ssh port to 22, change permitted ssh to WAN, laptop IP to the WAN IP subnet, I can ping it but can't ssh to it. I could ssh through WAN to the server though.

Also, thanks for that rapid debugging session - really great community.

You need to use pre routing to forward the packet to the right machine and port. Then set up the forward or input/input rule to accept the incoming and outgoing packets.

Right. As I have no knowledge of Mikrotik and it's ways I do not know how to do that.
Here are the settings for the antena/router behind which OpenWrt sits. If you guys have any ideas, that would be awesome. I'll have to run it through my ISP to test them so it may be rather slow to test.

/ip firewall filter> print Flags: X - disabled, I - invalid, D - dynamic 0 D ;;; special dummy rule to show fasttrack counters 
 chain=forward action=passthrough 
 1 ;;; defconf: accept ICMP 
 chain=input action=accept protocol=icmp log=no log-prefix="" 
 2 ;;; defconf: accept established,related 
 chain=input action=accept connection-state=established,related log=no 
 log-prefix="" 
 3 X ;;; defconf: drop all from WAN 
 chain=input action=drop in-interface=wlan1 log=no log-prefix="" 
 4 ;;; defconf: fasttrack 
 chain=forward action=fasttrack-connection 
 connection-state=established,related log=no log-prefix="" 
 5 ;;; defconf: accept established,related 
 chain=forward action=accept connection-state=established,related log=no 
 log-prefix="" 
 6 X ;;; defconf: drop invalid 
 chain=forward action=drop connection-state=invalid log=no log-prefix="" 
 7 ;;; defconf: drop all from WAN not DSTNATed 
 chain=forward action=drop connection-state=new 
 connection-nat-state=!dstnat in-interface=wlan1 log=no log-prefix="" 



/ip firewall nat> print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; defconf: masquerade 
 chain=srcnat action=masquerade out-interface=wlan1 log=no log-prefix="" 
 1 ;;; 2 
 chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=333 protocol=tcp 
 dst-address=92.xx.xx.xx dst-port=333 log=no log-prefix="" 
 2 ;;; 2udp 
 chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=333 protocol=udp 
 dst-address=92.xx.xx.xx dst-port=333 log=no log-prefix="" 
 3 ;;; 3 
 chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=80 protocol=tcp 
 in-interface=wlan1 dst-port=80 log=yes log-prefix="" 
 4 ;;; 3udp 
 chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=80 protocol=udp 
 in-interface=wlan1 dst-port=80 log=no log-prefix="" 
 5 ;;; 4 
 chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=443 protocol=tcp 
 dst-address=92.xx.xx.xx dst-port=443 log=no log-prefix="" 
 6 ;;; 4 
 chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=22 protocol=tcp 
 dst-address=92.xx.xx.xx dst-port=22 log=yes log-prefix="" 
 7 ;;; 4udp 
 chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=443 protocol=udp 
 dst-address=92.xx.xx.xx dst-port=443 log=no log-prefix="" 
 8 ;;; 4udp 
 chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=22 protocol=udp 
 dst-address=92.xx.xx.xx dst-port=22 log=yes log-prefix=""

Not quite, the command is ssh user@hostname, where hostname is the IP or the name (FQDN) of the destination, and user is usually root for OpenWrt.

trendy,
actually that's what I meant, thanks for correcting my wording.

Just to double check I'm doing everything possible:

Now when I connect to WAN port of the router with a laptop I can ssh to Pi behind it, it gets forwarded without problems. That does mean when my ISP figures out how to forward traffic on port 22 to the router I am ready to go, right?

Yes, that's right.