Forwarding SSH port?

[mrnaz]

I am trying to forward port 22 to an internal SSH server, but the router does not allow forwarding port 22. An nmap instance running on an external machine reports the following:

PORT STATE SERVICE
22/tcp filtered ssh
23/tcp filtered telnet
80/tcp filtered http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
222/tcp open rsh-spx
443/tcp filtered https
445/tcp filtered microsoft-ds
3128/tcp filtered squid-http
8080/tcp filtered http-proxy

I have forwarded both 22 and 222 externally to the internal SSH server, and 222 seems to be working fine, but 22 is not as can be seen. Testing 222 from remote seems to allow me SSH access to the internal machine as well.

I presume this is because Gargoyle filters the indicated ports if that particular feature is not enabled. However, I do not need SSH access to my router, and certainly not from externally.

How do I forward port 22 to my internal SSH server?

[DoesItMatter]

https://forum.openwrt.org/viewtopic.php?id=17960

Might be something related to that?

I don't think that's Gargoyle, I think thats OpenWRT issue?

[pbix]

I tried to reproduce this problem this morning. Your using the terms internal, external and remote in your report which lead room for interpretation which is not good.

Heres what I did. First I made sure that SSH access was disabled on the system->router access screen. Then on my firewall->port forwarding screen I add a route for port 22 and mapped it to port 80 of a web server I have on my LAN. Then from a computer on the WAN I opened a browser and targeted port 22 of my router. The expected web page was retrieved which shows that port 22 was properly forwarded.

I am using Gargoyle v1.3.9. In your next report please try to be very specific about were the computers you are using are located. Also please try my test and see what you observe.

[mrnaz]

When I used the word "internal" I was referring to a machine on the local LAN side of the router. When I use the word "external" I'm talking about a machine that is outside the local LAN, physically located in a data center.

I have confirmed that System -> Router Access has SSH access disabled. I have also confirmed that the ports are forwarded properly. As I said, I have managed to allow external facing port 222 to be forwarded to port 22 on my internal (LAN side) server, but external facing port 22 still appears filtered when viewed from the external machine (the one in the data center).

I am also running 1.3.9

Have you tried forwarding port 22 to port 22 on a SSH server inside your LAN?

[mrnaz]

I have just tried forwarding 22 -> 80 in the same manner as you describe. The port is still filtered. I cannot rule out that the problem is not Gargoyle related, however I cannot see what else it could be. I am not new to advanced use of routers, having used port forwarding on many, many different kinds of routers and firmwares.

[pbix]

If you will share the specific router you are using then perhaps I could test on that router.

I can say that it is not uncommon for port 22 to be blocked by network administrators since it is considered a security risk. You might put a hub (not a switch) on the WAN side and use a PC and Wireshark to see if the port 22 request is actually arriving at the router WAN connection.

You might also try enabling the remote SSH access on the router and removing your port forward. Then see if you can access the router from WAN side using SSH. This can confirm if port 22 traffic can actually reach the router.

There is no hidden blocking or filtering of ports in Gargoyle.

[mrnaz]

Thanks.
As I thought it was not Gargoyle related, your post gave me the idea to check with my ISP. Turns out they have a new firewall features that blocks a bunch of vulnerable ports such as 22, 25, 80, 139 etc.

Sorry for wasting your time.

Just to answer your question, I am using a Linksys WRT54G-TM

Thanks again