SSH port forwarding not responed - error 10060

mersiuse · April 11, 2018, 12:05pm

Hello, I run server behind mikrotik with static IP 192.168.0.150. I connect to the server by SSH, so I want to forward port no. 22 to the server.
I found out that mikrotik has his SSH opened to WAN by default, so I tried to forward port no. 2022 to server by this command:

/ip firewall nat
add chain=dstnat action=dst-nat in-interface=ether1-gateway protocol=tcp dst-port=2022 to-addresses=192.168.0.150 to-ports=22
/ip firewall filter
add chain=forward in-interface=ether1-gateway protocol=tcp dst-address=192.168.0.150 dst-port=22
When I try to connect to the server, bitvise ssh clien shows “10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.” message. What am I doing wrong?

mkx · April 11, 2018, 12:51pm

Mikrotik by default has ssh enabled for magament of router itself. However, recent ROS versions have TCP port 22 firewalled from WAN. You can dst-nat that port anyway if you don’t need ssh to the router itself from WAN (you probably don’t).

I have things setup like this:

/ip firewall nat
add action=dst-nat chain=dstnat comment="inbound SSH from WAN to local host" \
    dst-port=22 in-interface=<wan interface name> protocol=tcp \
    to-addresses=192.168.42.11 to-ports=22
# additionally you can include src-address= or src-address-list= in command above
# to only forward port from some particular WAN hosts
add action=dst-nat chain=dstnat comment=\
    "non-standard port for SSH goes to local host" dst-port=2022 in-interface=\
    <wan interface name> protocol=tcp to-addresses=192.168.42.11 to-ports=22

In addition to that, I have rule which effectively drops SSH connections from WAN to router itself, like this one:

/ip firewall filter
add action=drop chain=input comment="Block WAN ssh access to RB" \
    dst-port=22 protocol=tcp in-interface=<wan interface name>

mersiuse · April 11, 2018, 1:20pm

thanx a lot
but i don’t want to bypass the mikrotik ssh
i just want ssh requests on port 2022 forward to server (192.168.0.150:22)

mkx · April 11, 2018, 3:27pm

My second dst-nat rule shows redirection of custom port to ssh port on LAN host.

On the FW filters: I don’t have any filter dropping traffic in forward chain for IPv4, I count on NAT which doesn’t forward traffic unless there’s dst-nat rule or port is open due to src-nat for a particular WAN host. If you have some firewall drop rule on forward chain, review its effect and perhaps insert another one allowing connections to the custom ssh port.