Port forwards does not work

Louis · June 26, 2021, 7:51pm

All of a sudden my parents old WRT160NL with 19.07 does not work with port forwards anymore when connecting from wan to a port forwarded into an IP on the lan side eg. with SSH forwarded from port 2222 to port 22 on 192.168.1.103 on the lan side.

The current firewall rules: https://pastebin.com/GyYJP1ij - firewall.user is empty

This is the output from tcpdump from the user when I try to ssh to port 2222:

    IPv4-source.61090 > IPv4-dest.2222: Flags [S], cksum 0x3f3a (correct), seq 3317476696, win 64240, options [mss 1460,sackOK,TS val 1238195739 ecr 0,nop,wscale 7], length 0

The log from my pc trying to SSH:

[louis@pc ~]$ ssh router-hostname -p2222 -vvv
OpenSSH_8.6p1, OpenSSL 1.1.1k  25 Mar 2021
debug1: Reading configuration data /home/louis/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/louis/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/louis/.ssh/known_hosts2'
debug2: resolving "router-hostname" port 2222
debug3: ssh_connect_direct: entering
debug1: Connecting to router-hostname [IPv4-dest] port 2222.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48

I've tried resetting the counters in iptables on the router and do an SSH to a forwarded port but no relevant counters count up nor does the forwarded machine register any effort to SSH to it.

Any ideas for further debugging?

trendy · June 26, 2021, 8:08pm

Pastebin is private.
iptables-save -c | grep DNAT
tcpdump -i any -evn host 192.168.1.103 or tcp port 2222

Louis · June 27, 2021, 1:38pm

root@router-hostname:~# iptables-save -c | grep DNAT
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d IPv4-dest/32 -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: Server SSH (reflection)" -j DNAT --to-destination 192.168.1.103:22
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d IPv4-dest/32 -p udp -m udp --dport 2222 -m comment --comment "!fw3: Server SSH (reflection)" -j DNAT --to-destination 192.168.1.103:22
[43:1944] -A zone_wan_prerouting -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: Server SSH" -j DNAT --to-destination 192.168.1.103:22
[1:52] -A zone_wan_prerouting -p udp -m udp --dport 2222 -m comment --comment "!fw3: Server SSH" -j DNAT --to-destination 192.168.1.103:22
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[83:4699] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
root@router-hostname:~# 

root@router-hostname:~# tcpdump -i any -evn host 192.168.1.103 or tcp port 2222
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
15:17:22.424774  In 00:08:ae:92:22:00 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 48, id 49126, offset 0, flags [DF], proto TCP (6), length 60)
    IPv4-source.25332 > IPv4-dest.2222: Flags [S], cksum 0xf5a3 (correct), seq 1723505095, win 64240, options [mss 1400,sackOK,TS val 3344633665 ecr 0,nop,wscale 7], length 0
15:17:22.425002 Out 00:23:69:a3:a8:0f ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 47, id 49126, offset 0, flags [DF], proto TCP (6), length 60)
    IPv4-source.25332 > 192.168.1.103.22: Flags [S], cksum 0xcc60 (correct), seq 1723505095, win 64240, options [mss 1400,sackOK,TS val 3344633665 ecr 0,nop,wscale 7], length 0
15:17:22.425040 Out 00:23:69:a3:a8:0f ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 47, id 49126, offset 0, flags [DF], proto TCP (6), length 60)
    IPv4-source.25332 > 192.168.1.103.22: Flags [S], cksum 0xcc60 (correct), seq 1723505095, win 64240, options [mss 1400,sackOK,TS val 3344633665 ecr 0,nop,wscale 7], length 0
15:17:23.453960  In 00:08:ae:92:22:00 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 48, id 49127, offset 0, flags [DF], proto TCP (6), length 60)
    IPv4-source.25332 > IPv4-dest.2222: Flags [S], cksum 0xf1a4 (correct), seq 1723505095, win 64240, options [mss 1400,sackOK,TS val 3344634688 ecr 0,nop,wscale 7], length 0
15:17:23.454144 Out 00:23:69:a3:a8:0f ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 47, id 49127, offset 0, flags [DF], proto TCP (6), length 60)
    IPv4-source.25332 > 192.168.1.103.22: Flags [S], cksum 0xc861 (correct), seq 1723505095, win 64240, options [mss 1400,sackOK,TS val 3344634688 ecr 0,nop,wscale 7], length 0
15:17:23.454180 Out 00:23:69:a3:a8:0f ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 47, id 49127, offset 0, flags [DF], proto TCP (6), length 60)
    IPv4-source.25332 > 192.168.1.103.22: Flags [S], cksum 0xc861 (correct), seq 1723505095, win 64240, options [mss 1400,sackOK,TS val 3344634688 ecr 0,nop,wscale 7], length 0
15:17:24.408500   B 00:18:dd:22:06:12 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.103 (ff:ff:ff:ff:ff:ff) tell 192.168.1.250, length 46
15:17:24.408574 Out 00:18:dd:22:06:12 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.103 (ff:ff:ff:ff:ff:ff) tell 192.168.1.250, length 46
15:17:24.408500   B 00:18:dd:22:06:12 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.103 (ff:ff:ff:ff:ff:ff) tell 192.168.1.250, length 46
^C
15 packets captured
15 packets received by filter
0 packets dropped by kernel
root@router-hostname:~#

Doing the period there's no entries on 192.168.1.103 running "journalctl -u sshd -b" nor does "/var/log/auth.log" exist.

trendy · June 27, 2021, 7:52pm

Louis:

15:17:22.424774  In 00:08:ae:92:22:00 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 48, id 49126, offset 0, flags [DF], proto TCP (6), length 60)
    IPv4-source.25332 > IPv4-dest.2222: Flags [S], cksum 0xf5a3 (correct), seq 1723505095, win 64240, options [mss 1400,sackOK,TS val 3344633665 ecr 0,nop,wscale 7], length 0
15:17:22.425002 Out 00:23:69:a3:a8:0f ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 47, id 49126, offset 0, flags [DF], proto TCP (6), length 60)
    IPv4-source.25332 > 192.168.1.103.22: Flags [S], cksum 0xcc60 (correct), seq 1723505095, win 64240, options [mss 1400,sackOK,TS val 3344633665 ecr 0,nop,wscale 7], length 0

It is evident that packets are forwarded to the destination from the hitcount in iptables and it is confirmed by the tcpdump. You need to verify on the ssh server why it is not responding back.

Louis · June 27, 2021, 8:35pm

Turns out the machine I was trying to SSH to had had an openvpn connection wrongly configured making me unable to SSH to it via the forwarded port.

trendy · June 27, 2021, 9:40pm

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Louis · June 28, 2021, 5:53pm

There's no pencil behind the topic.

trendy · June 28, 2021, 9:17pm

You can skip to step 5 as the instructions say.

system · July 8, 2021, 9:18pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.