Community discussions

MikroTik App
 
sistemasAPM
just joined
Topic Author
Posts: 2
Joined: Fri Feb 18, 2022 5:32 pm

Cannot access a telnet server

Fri Feb 18, 2022 5:53 pm

Hello, I am trying to access a telnet server behind a mikrotik RB2011UiAS that has RouterOS v6.49.1 (stable) but without success.
My firewall rules are:

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input protocol=gre
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow forwarding" connection-nat-state=dstnat connection-state=established,new in-interface="Internet (port 1)" log-prefix=\
"Firewall forward telnet server"
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=telnet_server dst-address=200.10.10.10 dst-port=4370 protocol=tcp to-addresses=192.168.10.99 to-ports=4370

The IP 200.10.10.10 is the public address
The telnet server is on IP 192.168.10.99 with port 4370 . I can see the counter of the the rule "add action=dst-nat chain=dstnat comment=telnet_server dst-address=200.10.10.10 dst-port=4370 protocol=tcp to-addresses=192.168.10.99 to-ports=4370" is incremented when I try to establish communication, but the communication is not working.

What´s wrong with these rules?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Cannot access a telnet server

Mon Feb 21, 2022 4:04 am

This one is not needed (it's not breaking anything, it's just useless):
add action=accept chain=forward comment="Allow forwarding" connection-nat-state=dstnat connection-state=established,new in-interface="Internet (port 1)" log-prefix=\
"Firewall forward telnet server"
Firewall's default action (if no rule matches) is accept, so even without this rule, dstnatted connections will be allowed. The last rule won't block them, because they will have connection-nat-state=dstnat and it won't match.

The problem is not here, check the target server. Make sure that the service is running, listening for connections, server's firewall does not block them, server has this router as default gateway, etc.
 
sistemasAPM
just joined
Topic Author
Posts: 2
Joined: Fri Feb 18, 2022 5:32 pm

Re: Cannot access a telnet server

Thu Feb 24, 2022 3:25 pm

Hello Sob, thanks for your answer. I can reach the server if I make the request from the LAN, so the server is listening. Indeed I tried to connect to a web server and the result is the same
This one is not needed (it's not breaking anything, it's just useless):
add action=accept chain=forward comment="Allow forwarding" connection-nat-state=dstnat connection-state=established,new in-interface="Internet (port 1)" log-prefix=\
"Firewall forward telnet server"
Firewall's default action (if no rule matches) is accept, so even without this rule, dstnatted connections will be allowed. The last rule won't block them, because they will have connection-nat-state=dstnat and it won't match.

The problem is not here, check the target server. Make sure that the service is running, listening for connections, server's firewall does not block them, server has this router as default gateway, etc.

Who is online

Users browsing this forum: No registered users and 12 guests