Port Forwarding to my server

RouterOS Forwarding Protocols
1

Hey everyone,

I really can’t put my head around why it is not yet working.

The scenario:
I have set up an Ubuntu server on ip 192.168.1.124 static, and i am trying to forward the ports 4571 and 25565, 4571 for ssh and 25565 for minecraft.
Three problems occur.

  1. I am not able to ssh to my Router itself even though i have set up a filter to accept port 22.
  2. Whenever i try to ssh to my server via juicessh for android i get connection failed (connection reset by peer) so this one seems to get past the router but for some reason gets blocked or dropped?
  3. i am not even able to access the minecraft server from my own computer sitting on ip 192.168.1.123.

My filter looks like this:

0 D ;;; special dummy rule to show fasttrack counters
chain=forward

1 chain=forward action=accept protocol=tcp dst-address=xxx.zzz.yyy.209 in-interface=ether1 dst-port=22 log=no log-prefix=“”

2 chain=forward action=accept protocol=tcp dst-address=xxx.zzz.yyy.209 in-interface=ether1 dst-port=25565 log=no log-prefix=“”

3 ;;; SSH Ubuntu Server
chain=forward action=accept protocol=tcp dst-address=xxx.zzz.yyy.209 in-interface=ether1 dst-port=4571 log=no log-prefix=“”

4 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=“”

5 ;;; defconf: accept establieshed,related
chain=input action=accept connection-state=established,related log=no log-prefix=“”

6 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=“”

7 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=“”

8 ;;; allow l2tp
chain=input action=accept protocol=udp dst-port=1701 log=no log-prefix=“”

9 ;;; allow pptp
chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=“”

10 ;;; allow sstp
chain=input action=accept protocol=tcp dst-port=443 log=no log-prefix=“”

11 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=no log-prefix=“”

12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=“”

13 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=“”


And my NAT looks like this:

0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“”

1 chain=dstnat action=dst-nat to-addresses=192.168.1.124 to-ports=22 protocol=tcp dst-address=xxx.zzz.yyy.209 dst-port=4571 log=no log-prefix=“”

2 ;;; Ubuntu Server Minecraft tcp
chain=dstnat action=dst-nat to-addresses=192.168.1.124 to-ports=25565 protocol=tcp dst-address=xxx.zzz.yyy.209 dst-port=25565 log=no
log-prefix=“”

3 ;;; masq. vpn traffic
chain=srcnat action=masquerade src-address=192.168.89.0/24 log=no log-prefix=“”


I desperatly need help with this.
I have now sat everyday after work for the last week trying to figure this out looking at guides and trying but with no luck.
Thank you for at least taking the time to read my post.

2

An Update
After fiddeling around i got ssh to my router to work.
i chose to set it to something different than port 22 just as a security measure.

These are my filter rules:

0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; Minecraft
chain=forward action=accept protocol=tcp dst-address=xxx.zzz.yyy.209 in-interface=ether1 dst-port=25565 log=no log-prefix=“”

2 ;;; SSH UbuntuServer
chain=forward action=accept protocol=tcp dst-address=xxx.zzz.yyy.209 in-interface=ether1 dst-port=4571 log=no log-prefix=“”

3 ;;; SSH Router
chain=input action=accept protocol=tcp dst-address=xxx.zzz.yyy.209 in-interface=ether1 dst-port=8672 log=no log-prefix=“”

4 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=“”

5 ;;; defconf: accept establieshed,related
chain=input action=accept connection-state=established,related log=no log-prefix=“”

6 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=“”

7 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=“”

8 ;;; allow l2tp
chain=input action=accept protocol=udp dst-port=1701 log=no log-prefix=“”

9 ;;; allow pptp
chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=“”

10 ;;; allow sstp
chain=input action=accept protocol=tcp dst-port=443 log=no log-prefix=“”

11 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=no log-prefix=“”

12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=“”

13 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=“”


And my NAT rules:

0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“”

1 ;;; SSH UbuntuServer
chain=dstnat action=dst-nat to-addresses=192.168.1.124 to-ports=22 protocol=tcp dst-address=xxx.zzz.yyy.209 in-interface=ether1 dst-port=4571
log=no log-prefix=“”

2 ;;; Ubuntu Server Minecraft tcp
chain=dstnat action=dst-nat to-addresses=192.168.1.124 to-ports=25565 protocol=tcp dst-address=xxx.zzz.yyy.209 dst-port=25565 log=no
log-prefix=“”

3 ;;; masq. vpn traffic
chain=srcnat action=masquerade src-address=192.168.89.0/24 log=no log-prefix=“”

3

You don’t really need forward rules #1 and #2, because that traffic would be accepted by default anyway. The only blocking rule in your forward chain is #13. It drops anything coming from ether1, which is not forwarded port, so it does not apply to your forwarded ports. And after that is nothing, which means default accept.

You already found out the difference between forward chain (traffic coming through router) and input chain (traffic to router itself), that’s good.

Last step, not being able to access Minecraft server from inside, for that you need another srcnat rule as described here.

4

Thank you so much for replying! :smiley:
Not needing filter #1 and #2 actually makes sense, however even if they are on i am not able to get through to my server and keep the connection.
Port 4571 is open when i check on http://ping.eu/port-chk/
But not port 25565, which i can’t really understand why?

About blocking, does rule #11 and #12 not count as blocking? as #11 seems to be dropping everything on ether1 regardless of what i forwarded in NAT.

Edit:
So everything in the forward chain is not keeping the connection. I can via that site check that i am running linux but when i try to connect to port 4571 which is natted to port 22 on my server i get the connection reset by peer. Just as if it only allows that first packet to enter and the rest gets shut out.

Edit 2:
Just for good measure i tried logging the nat rule for my server, however, this makes no sense to me.
firewall,info dstnat: in:ether1 out:(none), src-mac 80:71:1f:c1:6c:c0, proto TCP (SYN), xxx.zzz.yyy.210:49304->xxx.zzz.yyy.209:4571, len 52

Edit 3:
And should i not change the order of the 3 drop rules so that #13 is at #11?

5

Problem Solved!

It seems that the actual thing blocking the signal was the server.
Which for me makes no sense, as it was the router which stopped working and i had to reset it, and up until the router stopped working, the server worked flawlessly.
However, i had to reinstall the server for some reason, but it fixed the issue.

Thank you for your help :slight_smile:

6

I missed your previous post, sorry. So only a little follow up:

#11 blocks in input chain, it does not apply to forwarded packets
#12 blocks invalid packets, your forwarded one are not invalid

It’s an attempt to connect to your Ubuntu ssh, what isn’t clear about that?

#11 and #13 are in different chains, so switching them is equal to switching #12 and #13 and it won’t make any worthy difference.
Btw, rules are processes in given order, but only for one table at the time. So to make it more clear, it’s better to have first all rules for one table and followed by all rules for other table. If you mix input and forward together, it’s easier to get lost in it.