port forwarding don't work

ugoday · November 30, 2013, 2:45pm

Hello, all.

I have a mikrotir router and linux host behind them. I want connecting by ssh to my linux station from internet. But after I add this rule

chain=dstnat action=dst-nat to-addresses=192.168.88.251 to-ports=22 protocol=tcp dst-address=external-ip-of-router dst-port=24

nothing done.

$ nmap myhost.no-ip.org

Starting Nmap 5.00 ( http://nmap.org ) at 2013-11-30 18:41 MSK
Interesting ports on myhost.2com.net (my-external-ip):
Not shown: 991 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
23/tcp   open     telnet
53/tcp   open     domain
80/tcp   open     http
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
2000/tcp open     callbook
8291/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 1.73 seconds

Where is my mistake?
there is all firewall rules: http://pastebin.com/1gP0KgDE

ugoday · December 2, 2013, 6:22pm

It is work, when i move rule

chain=dstnat action=accept

to bottom, after rules for port forwarding, i.e.

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway

1 chain=srcnat action=masquerade to-addresses=10.0.0.0 out-interface=work

2 chain=dstnat action=dst-nat to-addresses=192.168.88.251 to-ports=22 protocol=tcp dst-address=ip dst-port=24

3 chain=dstnat action=dst-nat to-addresses=192.168.88.251 to-ports=9091 protocol=tcp dst-address=ip dst-port=5060

4 chain=dstnat action=accept
[admin@MikroTik] /ip firewall nat>

Rudios · December 3, 2013, 11:45am

That makes sense, since the firewall executes the first rule applicable.
Besides from that, having the dst-nat rule is unclear to me.

marcus65 · December 10, 2013, 7:18pm

I don’t understand why the to-port=22 and the dst-port=24??

Rudios · December 11, 2013, 9:13am

To let the system be SSH available on a non-default port from outside.