Port forwarding not working (yes, I have read 200 posts and still no success)

As title.

I notice a LOT of ppl having trouble with this.

image952×270 12.6 KB

And It doesn't seem to open port 6881

~# netstat -tulpn | grep LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      764/dropbear
tcp        0      0 127.0.0.1:5037          0.0.0.0:*               LISTEN      1174/adbd
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1482/uhttpd
tcp        0      0 0.0.0.0:5555            0.0.0.0:*               LISTEN      1174/adbd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      2166/dnsmasq
tcp        0      0 83.255.102.240:53       0.0.0.0:*               LISTEN      2166/dnsmasq
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      2166/dnsmasq
tcp        0      0 :::22                   :::*                    LISTEN      764/dropbear
tcp        0      0 :::80                   :::*                    LISTEN      1482/uhttpd
tcp        0      0 fe80::4c18:ddff:fecb:a59b:53 :::*               LISTEN      2166/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      2166/dnsmasq
tcp        0      0 fe80::4818:ddff:fecb:a59b:53 :::*               LISTEN      2166/dnsmasq
tcp        0      0 fda8:59ee:5363::1:53    :::*                    LISTEN      2166/dnsmasq
tcp        0      0 fe80::4818:ddff:fecb:a59b:53 :::*               LISTEN      2166/dnsmasq

It's NOT the ISP, my other router works just fine with port forwarding.
The public ip is the same as WAN.

I have zero clue as even where to begin. I have tried to understand iptables and has spent more than a day searching for info but I have to ask for help here.
As I understand it, it's probably the gui not inputing all that is needed?

Opening a port in the firewall is not the same thing as having a service on the device listening on the port. You're not going to see the router listening on that port.

Is your OpenWRT device connected directly to the internet?

If so, then you should double check whether the port forward is actually working on the end device (i.e. 192.168.1.100). If it isn't, I'd then double check that the port you've opened is definitely the correct one for the device/application you're using.

It probably isn't.

Yes

Output from 192.168.1.100

$ netstat -tulpn | grep LISTEN
tcp        0      0 0.0.0.0:58846           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:6881          0.0.0.0:*               LISTEN      -
tcp        0      0 192.168.1.100:6881      0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:32600         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:32401         0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:45905         0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:32400           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:55413           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:55414           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:55415           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:35621           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:35623           0.0.0.0:*               LISTEN      -
tcp6       0      0 :::139                  :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 :::445                  :::*                    LISTEN      -
tcp6       0      0 ::1:25                  :::*                    LISTEN      -
tcp6       0      0 :::55413                :::*                    LISTEN      -
tcp6       0      0 :::55414                :::*                    LISTEN      -
tcp6       0      0 :::55415                :::*                    LISTEN      -
tcp6       0      0 :::35621                :::*                    LISTEN      -
tcp6       0      0 :::35623                :::*                    LISTEN      -

So it seems it's listening for it.

install some telnet app on your phone, like connect bot (android) and try to telnet to the port you've opened, via the cell carrier network, not wifi.

That has already been done or I wouldn't ask here.

Maybe this could be useful?
To me it means nothing, but maybe someone can help me translate?
I do notice that only udp ports seems to be used? It's TCP I have forwarded and need.

# tcpdump -i eth0 port 6881
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:47:42.667701 IP c83-255-102-240.bredband.tele2.se.6881 > 191.96.168.163.26954: UDP, length 20
11:47:42.813905 IP 191.96.168.163.26954 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 20
11:47:42.814604 IP c83-255-102-240.bredband.tele2.se.6881 > 191.96.168.163.26954: UDP, length 88
11:47:42.965523 IP 191.96.168.163.26954 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 20
11:47:44.093875 IP 198.199.98.246.33175 > c83-255-102-240.bredband.tele2.se.6881: Flags [S], seq 304732107, win 14600, options [mss 1460,sackOK,TS val 2396823746 ecr 0,nop,wscale 8], length 0
11:47:44.094015 IP c83-255-102-240.bredband.tele2.se.6881 > 198.199.98.246.33175: Flags [R.], seq 0, ack 304732108, win 0, length 0
11:47:44.250204 IP 198.199.98.246.33176 > c83-255-102-240.bredband.tele2.se.6881: Flags [S], seq 738123338, win 14600, options [mss 1460,sackOK,TS val 2396823784 ecr 0,nop,wscale 8], length 0
11:47:44.250327 IP c83-255-102-240.bredband.tele2.se.6881 > 198.199.98.246.33176: Flags [R.], seq 0, ack 738123339, win 0, length 0
11:47:44.408649 IP 198.199.98.246.33177 > c83-255-102-240.bredband.tele2.se.6881: Flags [S], seq 2366862222, win 14600, options [mss 1460,sackOK,TS val 2396823824 ecr 0,nop,wscale 8], length 0
11:47:44.408797 IP c83-255-102-240.bredband.tele2.se.6881 > 198.199.98.246.33177: Flags [R.], seq 0, ack 2366862223, win 0, length 0
11:47:45.668234 IP c83-255-102-240.bredband.tele2.se.6881 > cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685: UDP, length 20
11:47:45.794714 IP cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 20
11:47:45.795333 IP c83-255-102-240.bredband.tele2.se.6881 > cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685: UDP, length 88
11:47:45.924491 IP cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 20
11:47:45.932521 IP cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 20
11:47:45.933012 IP c83-255-102-240.bredband.tele2.se.6881 > cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685: UDP, length 20
11:47:46.668254 IP c83-255-102-240.bredband.tele2.se.6881 > cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685: UDP, length 20
11:47:46.796968 IP cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 20
11:47:46.808588 IP c83-255-102-240.bredband.tele2.se.6881 > cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685: UDP, length 548
11:47:46.940649 IP cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 20
11:47:46.940650 IP cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 355
11:47:46.941403 IP c83-255-102-240.bredband.tele2.se.6881 > cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685: UDP, length 49
11:47:46.941487 IP c83-255-102-240.bredband.tele2.se.6881 > cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685: UDP, length 20
11:47:47.066521 IP cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 20
11:47:47.067145 IP c83-255-102-240.bredband.tele2.se.6881 > cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685: UDP, length 363
11:47:47.194549 IP cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 20
11:47:47.200732 IP cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 20
11:47:47.201243 IP c83-255-102-240.bredband.tele2.se.6881 > cpe105611a33503-cm105611a33501.cpe.net.cable.rogers.com.13685: UDP, length 20
11:47:47.668482 IP c83-255-102-240.bredband.tele2.se.6881 > n27-99-7-22.mrk1.qld.optusnet.com.au.57618: UDP, length 20
11:47:47.999636 IP n27-99-7-22.mrk1.qld.optusnet.com.au.57618 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 20
11:47:48.000385 IP c83-255-102-240.bredband.tele2.se.6881 > n27-99-7-22.mrk1.qld.optusnet.com.au.57618: UDP, length 88
11:47:48.331620 IP n27-99-7-22.mrk1.qld.optusnet.com.au.57618 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 20
11:47:48.331620 IP n27-99-7-22.mrk1.qld.optusnet.com.au.57618 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 26
11:47:48.332227 IP c83-255-102-240.bredband.tele2.se.6881 > n27-99-7-22.mrk1.qld.optusnet.com.au.57618: UDP, length 20
11:47:49.202886 IP 191.96.168.163.26954 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 88
11:47:49.203499 IP c83-255-102-240.bredband.tele2.se.6881 > 191.96.168.163.26954: UDP, length 20
11:47:49.203757 IP c83-255-102-240.bredband.tele2.se.6881 > 191.96.168.163.26954: UDP, length 220
11:47:49.203999 IP 191.96.168.163.26954 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 88
11:47:49.204446 IP c83-255-102-240.bredband.tele2.se.6881 > 191.96.168.163.26954: UDP, length 20
11:47:49.349726 IP 191.96.168.163.26954 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 20
11:47:49.349727 IP 191.96.168.163.26954 > c83-255-102-240.bredband.tele2.se.6881: UDP, length 26
11:47:49.350342 IP c83-255-102-240.bredband.tele2.se.6881 > 191.96.168.163.26954: UDP, length 20
^C
42 packets captured
42 packets received by filter
0 packets dropped by kernel

and we would know this how ?

[frollic@atlantis ~]$ telnet c83-255-102-240.bredband.tele2.se 6881
Trying 83.255.102.240...
telnet: connect to address 83.255.102.240: Connection refused
[frollic@atlantis ~]$

By using common sense? xD
(and the fact I write that I have spent more than 10hrs researching this before posting)

Not sure how this is useful, it's pretty much established that the port is blocked.
Or did you mean to point out I outed my ip? Yeah I know, I'm living on the edge. xD

I have no Idea how to move forward.

Yes, and it's quite simple:

• It means you opened the wrong protocol (i.e. contrary to your beliefs, you actually need UDP); or
• The far-end device is using the wrong protocol (i.e. they actually need to use TCP)

I'm not sure how that isn't clear - so feel free to inquire if you have any questions.

That's wasn't established, or you wouldn't be inquiring.

you could have studied Internet for Dummies during all that time, again, how would we know ?

you might want to tighten your security

PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
5555/tcp open  freeciv

your openwrt access is wide open, even though I don't know the pass ... care to share ?

sure you know what you're doing here ?

What does the firewall say? Depending on your OpenWrt version, post the output of one of these commands:

iptables-save -c | grep Deluge
nft list ruleset | grep Deluge

Absolutely not, that's why I'm asking. All I know is port 6881 does NOT work and the firewall settings in openwrt is completely vanilla, nothing has been added, that is the next step I was going to look into bu honestly, I googled and was under the impression that the std firewall in openwrt is pretty secure and wasnt worried at all, but seeing those ports open I now realize that openwrt are NOT as secure as I thought.

Returns absolutely nothing and nft is not on my system and cant find it using opkg to install.

no dude, they aren't ...

unless you make holes in it, like you've done.
or you're being hacked.

Is your port forward still named Deluge in the GUI?

Try these two commands. Look for errors at the beginning of the fw3 output.

iptables -t nat -nvL
fw3 print

More likely I was being hacked then, because NOTHING has been changed with the firewall by me, except for the port forwarding I did in the GUI. So unless that removes security, someone has hacked my router and removed the blocks OR they were never there to begin with.
I AM using a custom built os, made by bananapi (as I understand it) since no oficial release it made.
No matter, I obv cant use this router like this.

Strange thing is I could not connect with ssh yesterday, I tried that to see if I could get acces to my dumb-ap from outside.

OR the holes came with the build you installed, pretty nice trojan horse, imho.

Watched tutorials and was under the impression that this made all requests from internet to be denied?

image950×44 4.12 KB

After installing I did notice that the list in status/firewall was VERY empty. I just thought that is the way it is, because again, I have no knowledge of iptables and googling that, yeah, I get nothing out of it.

Even searching for "good standard iptables settings" or the likes gives nothing of substance I can take from.

there should only be two rules in the Zones, then one you've got, and one permitting lan -> wan.

what's in the other tabs, under firewall ?

the last Support-UDP-Traceroute rule isn't in the standard openwrt config, the naming for the rule is sane, but the port range isn't (so google claims).

I'd have set up the ports for a torrent host like that

problem is, there might be rules added on OS level, you cannot see in the UI.