port forwarding issue or firewall?

[Nathan Owens]

i have this as my iptables rules:

#!/usr/bin/bash
#!/bin/bash

MyIP="$(getent hosts ADDRESS_HERE| awk '{ print $1 }')"

  iptables -F
  iptables -X

  iptables -F INPUT
  iptables -P INPUT ACCEPT
 

  iptables -A INPUT -p tcp -s $MyIP --dport 22 -j ACCEPT
  iptables -A INPUT -p udp -s $MyIP --dport 22 -j ACCEPT
 
  iptables -A INPUT -p udp -s $MyIP --dport 53 -j ACCEPT
  iptables -A INPUT -p tcp -s $MyIP --dport 53 -j ACCEPT
  iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 22 -j REJECT
  iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 53 -j REJECT
  iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 53 -j REJECT

If I leave out anything allowing connections from/to local hosts, nmap will say filtered;
If I include anything about allowing connections from my local network it will give port 22 is closed or doesn't even show it in scan

 

[ColinTaylor]

/usr/bin/bash doesn't exist on the router
/bin/bash doesn't exist on the router
getent doesn't exist on the router

Are you sure you're posting in the correct forum?

 

[Nathan Owens]

/usr/bin/bash doesn't exist on the router
/bin/bash doesn't exist on the router
getent doesn't exist on the router

Are you sure you're posting in the correct forum?

That code is on my computer that is running the SSH server

 

[ColinTaylor]

That code is on my computer that is running the SSH server

Sorry, I fail to see what this has to do with Merlin's firmware.

 

[Nathan Owens]

Sorry, I fail to see what this has to do with Merlin's firmware.

True, I forgot to include picture of my port foward to see if I have it set up correctly atleast.

I've ran a port checker on it and it gives closed and I've also disabled iptables and I still get connection refused

 

[ColinTaylor]

Sorry I must be stupid, I still can't follow you.

What rules are present for this situation?

If I leave out anything allowing connections from/to local hosts, nmap will say filtered;

What rules are present for this situation?

If I include anything about allowing connections from my local network it will give port 22 is closed or doesn't even show it in scan

 

[Nathan Owens]

Sorry I must be stupid, I still can't follow you.

What rules are present for this situation?


What rules are present for this situation?

Lets say things like:
iptables -A INPUT -p tcp -s 192.168.50.0/24 as my router uses 192.168.50.1

But to test to see if it was my firewall blocking it or not I reset the rules so my machine is not blocking anything.

Even though I have port 22 in the WAN->port forwarding, it seems that the router may be the one blocking it

 

[ColinTaylor]

I've ran a port checker on it and it gives closed and I've also disabled iptables and I still get connection refused

But to test to see if it was my firewall blocking it or not I reset the rules so my machine is not blocking anything.

The WAN > Port Forwarding entry is correct. I've just tried it on my router and it works as expected.

 

[Nathan Owens]

The WAN > Port Forwarding entry is correct. I've just tried it on my router and it works as expected.

Weird, well I just SSHd into the router and ran iptables -L and it doesn't show anything saying to forward ssh requests to this host

 

[kfp]

Lets say things like:
iptables -A INPUT -p tcp -s 192.168.50.0/24 as my router uses 192.168.50.1

But to test to see if it was my firewall blocking it or not I reset the rules so my machine is not blocking anything.

Even though I have port 22 in the WAN->port forwarding, it seems that the router may be the one blocking it

That iptables command looks wrong as that won’t allow any WAN IP from connecting to your SSH server.

Are you sure you have flushed iptables correctly? Are you sure the SSH server is up? Does your ISP filter ports?

 

[ColinTaylor]

Weird, well I just SSHd into the router and ran iptables -L and it doesn't show anything saying to forward ssh requests to this host

That because it's done in the nat table, not the filter table.

 

[Nathan Owens]

That iptables command looks wrong as that won’t allow any WAN IP from connecting to your SSH server.

Are you sure you have flushed iptables correctly? Are you sure the SSH server is up? Does your ISP filter ports?

I'm sure I did both iptables -F then iptables -X ; sshd is up and before I installed merlin firmware I did have it working, so ISP isn't filtering. I can ssh to the host if i ssh into the router first

Revan# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

 

[ColinTaylor]

I can ssh to the host if i ssh into the router first

I think @kfp is correct. The source address will be an external IP address so it won't match 192.168.50.0/24.

Are you sure that sshd is configured to allow access from outside the local subnet.

 

[ColinTaylor]

I can ssh to the host if i ssh into the router first

If you have enabled SSH access to the router from the WAN then disable it. You can't have two different SSH server's listening on the same IP address and port.

 

[Nathan Owens]

I think @kfp is correct. The source address will be an external IP address so it won't match 192.168.50.0/24.

Are you sure that sshd is configured to allow access from outside the local subnet.

For some reason I also can't connect from inside my network either unless I go through router.

If you have enabled SSH access to the router from the WAN then disable it. You can't have two different SSH server's listening on the same IP address and port.

Even if I told the ssh server for router to be on a unique port as well?

 

[ColinTaylor]

Even if I told the ssh server for router to be on a unique port as well?

That should be OK then.

For some reason I also can't connect from inside my network either unless I go through router.

This sounds like a misconfiguration on computer. Have you checked the hosts.allow and hosts.deny files? Was your previous router using a different IP address range from 192.168.50.0/24? Are you sure your computer is actually 192.168.50.114?

 

[ColinTaylor]

Can you explain what this command is meant to return? I'm assuming that ADDRESS_HERE is actually your computer's IP address, correct? In which case it seems to do nothing useful.

MyIP="$(getent hosts ADDRESS_HERE| awk '{ print $1 }')"

Lets say things like:
iptables -A INPUT -p tcp -s 192.168.50.0/24 as my router uses 192.168.50.1

The commands in your OP don't show a netmask and $MyIP appears to be a single IP address, so this iptables rule doesn't seem the same as the code in the script.

 

[Nathan Owens]

Actually seems to be working fine now, I just disables iptables. Also thankfully I can only connect to it if I am either on my wifi or using vpn. it was sshd issues