Ports under 1024

mo8it · July 15, 2022, 1:41pm

Hello community,

I am using OpenWrt on my router. I am trying to forward ports under 1024, but only the port 22 is forwarded. Ports >= 1024 can also be forwarded.

I tried netcat with this command:
nc -vzn -w 3 MY_IP 1-1050

It succeds for the port 22 (which is forwarded) and all other ports >= 1024 that are forwarded. The ports >= 1024 that are not forwarded give "refused connection". But all ports under 1024 without 22 give " timeout" if forwarded or not.

Can this be a problem of my router? It has to be connected with the fact that ports under 1024 are privileged in Linux.

It might also be a problem with my provider. But I would like to make sure that it is not a problem with my router or OpenWrt before contacting the provider. Any suggestion on how to debug?

If I should conact the provider, what should I say? What do you think how they could have blocked these ports to time out? It might be also a mistake since I live in a students dorm and a part of the network infrastructure is maintained by some students (honorary).

Thank you!

trendy · July 15, 2022, 1:52pm

It is usually blocked by some providers. Call and ask them to open the ports.

frollic · July 15, 2022, 1:55pm

If port 22 is open, you can use it to tunnel all the other.

mo8it · July 15, 2022, 2:13pm

@trendy Thanks, I will ask the provider then.

@frollic How can I tunnel all other ports? LetsEncrypt for example wants to have the port 80 or 443 to generate a certificate.

frollic · July 15, 2022, 3:06pm

Google ssh + tunnel.

That can't be done, it'd be for your own personal use.

But, you could get a free for life cloud server at Oracle, and expose whatever ports you'd like to internet, via that host, using a tunnel.

mk24 · July 15, 2022, 3:35pm

Since the firewall and most processes in OpenWrt run as root, there is no distinction in configuring ports under 1024 versus above 1024.

Yes it's very common for ISPs to block ports 80 and 443. To test this, install tcpdump on the router and run
tcpdump -i wan port 80
Replace wan with the name of the interface holding your public IP (use ip addr show to find this) if it is not wan.
Then use a port scan site to scan your public IP from outside. If you don't see any activity, the ISP has blocked the port before it reaches you. If the ISP does pass a connection but your router firewall blocks it (as is the default behavior) you should see one TCP packet coming in and one going out with the R (Reject) flag set.

mo8it · July 15, 2022, 3:56pm

Thank you for the instructions! I will try them out on the router on Monday

trendy · July 15, 2022, 6:39pm

The SSH tunnel cannot fully replace port forwarding, as the ssh client must first authenticate to the ssh server and then access other servers on the router or in the lan.

mo8it · July 20, 2022, 5:30pm

I did try listening on different ports with tcpdump while sending pings with nc (netcat). It turns out, the ports are blocked by the provider.

I used a VPS to redirect traffic on ports 80 and 443 to other ports that are open on my network. The port forwarding of firewalld on the VPS is more than enough. Traefik takes care of the rest. Now everything is fine

Thanks to all for the help! Great community and great OpenWrt

system · July 30, 2022, 5:31pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.