NAT not Working

giusepped · January 14, 2017, 5:55pm

Suddenly something changed. I am trying to acces my internal machine from outside. But I can’t ssh to it anymore. My machine is 10.1.0.203 and the port forwarding is on 1234 port .From inside LAN, web surfing is ok

This is my filter chain:

0    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix="" 
 1    ;;; default configuration
      chain=input action=accept connection-state=established,related log=no log-prefix="" 
 2    chain=input action=add-src-to-address-list protocol=tcp address-list=blocked-addr address-list-timeout=1d connection-limit=200,32 log=no log-prefix="" 
 3    chain=input action=tarpit protocol=tcp src-address-list=blocked-addr connection-limit=3,32 log=no log-prefix="" 
 4    ;;; SYN Flood protect
      chain=forward action=jump jump-target=SYN-Protect tcp-flags=syn connection-state=new protocol=tcp log=no log-prefix="" 
 5    chain=SYN-Protect action=accept tcp-flags=syn connection-state=new protocol=tcp limit=400,5 log=no log-prefix="" 
 6    chain=SYN-Protect action=drop tcp-flags=syn connection-state=new protocol=tcp log=no log-prefix="" 
 7    chain=forward action=jump jump-target=block-ddos connection-state=new log=no log-prefix="" 
 8    chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed log=no log-prefix="" 
 9    chain=block-ddos action=return dst-limit=50,50,src-and-dst-addresses/10s log=no log-prefix="" 
10    chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m log=no log-prefix="" 
11    chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m log=no log-prefix="" 
12    chain=input action=accept protocol=tcp dst-port=990 log=no log-prefix="" 
13    chain=input action=accept protocol=tcp dst-port=989 log=no log-prefix="" 
14    chain=input action=accept protocol=tcp in-interface=ether1-gateway dst-port=47 log=no log-prefix="" 
15    chain=input action=accept protocol=tcp in-interface=ether1-gateway dst-port=140 log=no log-prefix="" 
16    chain=input action=accept protocol=tcp in-interface=ether1-gateway dst-port=1234 log=no log-prefix="" 
17    chain=input action=accept protocol=tcp in-interface=ether1-gateway dst-port=1236 log=no log-prefix="" 
18    chain=input action=accept protocol=tcp in-interface=ether1-gateway dst-port=21 log=no log-prefix="" 
19    ;;; Make exceptions for DNS
      chain=DNS_DDoS action=accept protocol=tcp src-address-list=DNS_Accept port=53 log=no log-prefix="" 
20    ;;; Make exceptions for DNS
      chain=DNS_DDoS action=accept protocol=udp src-address-list=DNS_Accept port=53 log=no log-prefix="" 
21    ;;; Drop DNS_DDoS Offenders
      chain=DNS_DDoS action=drop src-address-list=DNS_DDoS log=no log-prefix="" 
22    ;;; Return from DNS_DDoS Chain
      chain=DNS_DDoS action=return log=no log-prefix="" 
23    ;;; default configuration
      chain=input action=drop in-interface=ether1-gateway log=no log-prefix="" 
24    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 
25    chain=input action=accept protocol=tcp dst-port=20 log=no log-prefix="" 
26    ;;; Jump to DNS_DDoS Chain
      chain=input action=jump jump-target=DNS_DDoS log=no log-prefix="" 
27 X  ;;; drop invalid connections
      chain=forward action=drop log=no log-prefix=""

And this is the NAT

0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix="" 
 1    ;;; macchina_giuseppe
      chain=dstnat action=dst-nat to-addresses=10.1.0.203 to-ports=22 protocol=tcp in-interface=ether1-gateway dst-port=1234 log=no log-prefix="" 
 2    ;;; raspberry
      chain=dstnat action=dst-nat to-addresses=10.1.0.18 to-ports=22 protocol=tcp in-interface=ether1-gateway dst-port=1236 log=no log-prefix="" 
 3    chain=dstnat action=dst-nat to-addresses=10.1.0.100 to-ports=17700-17704 protocol=tcp dst-port=17700-17704 log=no log-prefix="" 
 4    chain=dstnat action=dst-nat to-addresses=10.1.0.99 to-ports=4299 protocol=tcp dst-port=4299 log=no log-prefix="" 
 5    chain=dstnat action=dst-nat to-addresses=10.1.0.99 to-ports=47 protocol=tcp in-interface=ether1-gateway dst-port=47 log=no log-prefix="" 
 6    chain=dstnat action=dst-nat to-addresses=10.1.0.99 protocol=tcp dst-address-type=local in-interface=ether1-gateway dst-port=21 log=no log-prefix="" 
 7 X  chain=dstnat action=dst-nat to-addresses=10.1.0.99 to-ports=20 protocol=tcp in-interface=ether1-gateway dst-port=20 log=no log-prefix="" 
 8    chain=dstnat action=dst-nat to-addresses=10.1.0.99 to-ports=1024-65535 protocol=tcp dst-address-type=local dst-port=1024-65535 log=no log-prefix="" 
 9 X  ;;; ex_giuseppe
      chain=dstnat action=dst-nat to-addresses=10.1.0.202 protocol=tcp dst-port=1203 log=no log-prefix=""

leoservices · January 15, 2017, 2:33am

Hello

Apparently it’s something on your internet carrier.

Do the following, disable the rule in filter of number 16 and test again.

giusepped · January 16, 2017, 9:10am

I did more.
I deleted all filter rules.
And really stangley only one NAT rule work, that of FTP on port 21…

Filter rule (default)

 0    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix="" 
 1    ;;; default configuration
      chain=input action=accept connection-state=established,related in-interface=ether1-gateway log=no log-prefix="" 
27    ;;; default configuration
      chain=forward action=accept connection-state=invalid in-interface=ether1-gateway log=no log-prefix=""

And for NAT

0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix="" 
 1    ;;; macchina_giuseppe
      chain=dstnat action=dst-nat to-addresses=10.1.0.203 to-ports=22 protocol=tcp in-interface=ether1-gateway dst-port=1234 log=no log-prefix="" 
 2    ;;; raspberry
      chain=dstnat action=dst-nat to-addresses=10.1.0.14 to-ports=22 protocol=tcp in-interface=ether1-gateway dst-port=1236 log=no log-prefix="" 
 3    chain=dstnat action=dst-nat to-addresses=10.1.0.100 to-ports=17700-17704 protocol=tcp in-interface=ether1-gateway dst-port=17700-17704 log=no log-prefix="" 
 4    chain=dstnat action=dst-nat to-addresses=10.1.0.99 to-ports=4299 protocol=tcp dst-port=4299 log=no log-prefix="" 
 6    chain=dstnat action=dst-nat to-addresses=10.1.0.99 protocol=tcp dst-address-type=local in-interface=ether1-gateway dst-port=21 log=no log-prefix=