Forward ssh from external port

I try to forward the external port 2222 to 22 on a local computer.

I do a port forwards rule :

When I try to connect from my external ip to the port 2222, I receive a timeout.

If I connect to the port 22 with the root, I connect the RUTOS, and after a ssh to the port 22 on the 192.168.1.11 is ok.

I try a lot of configuration but it’s always the same problem, and read a lot of topics here.

I don’t see any lines in the journalctl in the 192.168.1.11.

Is there a way to see log of the firewall on the RUTM52?

If I put a rule to lan 192.168.1.1 it’s ok and I arrive on the RUTOS with root user.

The 192.168.1.11 don’t have restriction in his firewall.

Thank’s

Marc

What kind of device is 192 168.1.11 ?

Does it have its default gateway set to 192.168.1.1 ?

Hello,

Could you perhaps provide a screenshot demonstration of how you’re attempting to SSH into the computer (192.168.1.11)?

Do you get to the username:password screen when attempting to SSH into the PC? Additionally, is there any particular reason for you to need to set up port forwarding if the setup is local?

Regards,

M.

Hi,

I explain with samples :

1 - What I want from my computer at my office : $ ssh -p 2222 loveforever@

and I have as answer : ssh: connect to host port 2222: Connection refused

After that I want to route http ports, but I test with ssh first

2 - When I do after connection to the RUTM82 :

root@RUTM52:~# ssh loveforever@192.168.1.11
loveforever@192.168.1.11’s password:
Linux domotique 6.1.0-37-amd64
#1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64

…….

loveforever@domotique:~$

the network information :

loveforever@domotique:~$ ip addr show wlp0s20f3
3: wlp0s20f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 98:5f:41:02:f5:6c brd ff:ff:ff:ff:ff:ff
inet 192.168.1.11/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp0s20f3
valid_lft 23839sec preferred_lft 23839sec
inet6 fdbd:f2cc:7285::26d/128 scope global dynamic noprefixroute
valid_lft 27318sec preferred_lft 27318sec
inet6 fdbd:f2cc:7285:0:d87e:d826:d467:5247/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::15a7:22c4:80de:3d9c/64 scope link noprefixroute
valid_lft forever preferred_lft forever

King regards

Marc

Connection refused, huh.. Is Remote Access enabled under SystemAdministrationAccess Control on the SSH? Seems like you are able to reach it no problem, but it’s just refusing on the other end, forwarding might not be happening due to the fact that the remote access is enabled, if I understand everything correct here.

Let me know if the issue still persists once the setting is enabled,

M.

I have put one the remote access, but only for the port 22, I don’t find any way for the port 2222.

I agree with you, but when I look on the debian 192.168.1.11 systemctl, I don’t receive anything on this log.

I do an other test : a port forward for the port 2222 to the 192.168.1.1 port 22 is OK and the port forward from port 22 to the 192.168.1.11 port 22 is down too.

It seems like the external access to the 192.168.1.11 is blocked somewhere.

My iptables is (I think) open to all connections

loveforever@domotique:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all – anywhere anywhere
DOCKER-FORWARD all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (5 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.20.0.2 tcp dpt:9001
ACCEPT tcp – anywhere 172.20.0.2 tcp dpt:1883
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9443
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8000
DROP all – anywhere anywhere
DROP all – anywhere anywhere
DROP all – anywhere anywhere
DROP all – anywhere anywhere
DROP all – anywhere anywhere

Chain DOCKER-BRIDGE (1 references)
target prot opt source destination
DOCKER all – anywhere anywhere
DOCKER all – anywhere anywhere
DOCKER all – anywhere anywhere
DOCKER all – anywhere anywhere
DOCKER all – anywhere anywhere

Chain DOCKER-CT (1 references)
target prot opt source destination
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
target prot opt source destination
DOCKER-CT all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
DOCKER-BRIDGE all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (5 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
DROP all – anywhere anywhere
DROP all – anywhere anywhere
DROP all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source
destination
loveforever@domotique:~$

Hello, Marc,

This could also be related to the OS that you’re using, for example, Windows has this program called OpenSSH that should be pre-installed & the service of it should be running:

More information can be found here - let me know if this helps you out.

Regards,

M.

Hi Matas,

I use debain and Openssh is installed and is ok when I use ssh from the RUTM52 directly.

I test other forward port (http port), and it’s always the same, it’s like the RUTM52 doesn’t forward the port to the debian computer 192.168.1.1.

I think it’s because the RUTM52 use docker to do port forward, and I receive the TCP from 172.20.0.103 and I don’t know why, but my debian computer doesn’t react.

I don’t have any entry in iptables :

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

$ sudo tcpdump -i any port 8080
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
13:09:24.866100 wlp0s20f3 In IP 172.20.0.103.24275 > domotique.http-alt: Flags [S], seq 440408263, win 64240, options [mss 1396,nop,wscale 8,nop,nop,sackOK], length 0
13:09:24.866100 wlp0s20f3 In IP 172.20.0.103.10111 > domotique.http-alt: Flags [S], seq 2667171591, win 64240, options [mss 1396,nop,wscale 8,nop,nop,sackOK], length 0
13:09:24.881587 wlp0s20f3 In IP 172.20.0.103.19809 > domotique.http-alt: Flags [S], seq 2355633350, win 64240, options [mss 1396,nop,wscale 8,nop,nop,sackOK], length 0
13:09:25.787828 wlp0s20f3 In IP 172.20.0.103.10111 > domotique.http-alt: Flags [S], seq 2667171591, win 64240, options [mss 1396,nop,wscale 8,nop,nop,sackOK], length 0
13:09:25.787829 wlp0s20f3 In IP 172.20.0.103.24275 > domotique.http-alt: Flags [S], seq 440408263, win 64240, options [mss 1396,nop,wscale 8,nop,nop,sackOK], length 0
13:09:25.879816 wlp0s20f3 In IP 172.20.0.103.19809 > domotique.http-alt: Flags [S], seq 2355633350, win 64240, options [mss 1396,nop,wscale 8,nop,nop,sackOK], length 0
13:09:28.040185 wlp0s20f3 In IP 172.20.0.103.10111 > domotique.http-alt: Flags [S], seq 2667171591, win 64240, options [mss 1396,nop,wscale 8,nop,nop,sackOK], length 0
13:09:28.040186 wlp0s20f3 In IP 172.20.0.103.24275 > domotique.http-alt: Flags [S], seq 440408263, win 64240, options [mss 1396,nop,wscale 8,nop,nop,sackOK], length 0
13:09:28.040186 wlp0s20f3 In IP 172.20.0.103.19809 > domotique.http-alt: Flags [S], seq 2355633350, win 64240, options [mss 1396,nop,wscale 8,nop,nop,sackOK], length 0

Hello,

I’ve sent you a form to fill out so I can take a deeper look into your device, to avoid accidentally leaking any sensitive information. In the Ticket ID field, simply enter the thread’s number, which is 14936.

Thank you,
M.

It’s done

Thank’s

Marc

Hello,

Issue has been resolved by enabling “MASQUERADING” under Network → Firewall → Zones

Regards,

M.

1 Like