Port forwarding SSH

Kassebasse · Oct 19, 2017, 2:38 PM

Hey. I have tried to portforward my SSH-server, but without luck.
When I scan the port with nmap, it shows that it is open and then when I scan again it is filtered.
Let me know what information that you need. I can also allow you to use Teamviewer to help me out.
I can ping the server no problem.

johnpoz · Oct 19, 2017, 2:49 PM

Those rules make no sense.. What is your opt1 network? Port forwards are normally on your wan.. Is your opt1 another wan interface?

You would not forward to a network.. you have opt1 net as a dest.

This firewall is an alias for ALL IPs on the firewall, etc. Not just the opt1 network… Where is the traffic coming from when your hitting whatever this IP is on opt1.. Is a rfc1918 address?

Please go over troubleshooting port forwarding.

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Do you have ssh enabled on pfsense? If so it would listen on 22 by default.. You should prob change either pfsense or your ssh server so you don't use the same port if your trying to listen on and port forward the same port.

Kassebasse · Oct 19, 2017, 2:50 PM

OPT1 is my VPN-interface.

johnpoz · Oct 19, 2017, 2:54 PM

Well how is that going to work.. Does your VPN port forward 22 down your tunnel?

Kassebasse · Oct 19, 2017, 2:55 PM

Yhea, that is what I am thinking. My vpn has a static ip adress and have all ports open by default.

Kassebasse · Oct 19, 2017, 3:13 PM

What I get from Packet Capture

15:08:51.401655 AF IPv4 (2), length 56: (tos 0x20, ttl 118, id 11039, offset 0, flags [DF], proto TCP (6), length 52)
IncomingIP.2589 > OPT1Interface.22: Flags , cksum 0xb613 (correct), seq 631284661, win 17520, options [mss 1357,nop,wscale 8,nop,nop,sackOK], length 0
15:08:51.418530 AF IPv4 (2), length 44: (tos 0x20, ttl 118, id 11040, offset 0, flags [DF], proto TCP (6), length 40)
IncomingIP.2589 > OPT1Interface.22: Flags [.], cksum 0xb731 (correct), seq 631284662, ack 3484332987, win 68, length 0
15:08:51.419039 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11041, offset 0, flags [DF], proto TCP (6), length 68)
IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
15:08:51.648740 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11042, offset 0, flags [DF], proto TCP (6), length 68)
IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
15:08:51.964852 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11043, offset 0, flags [DF], proto TCP (6), length 68)
IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
15:08:52.576616 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11044, offset 0, flags [DF], proto TCP (6), length 68)
IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
15:08:53.773465 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11045, offset 0, flags [DF], proto TCP (6), length 68)
IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
15:08:56.180614 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11046, offset 0, flags [DF], proto TCP (6), length 68)
IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
15:09:00.996269 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11047, offset 0, flags [DF], proto TCP (6), length 68)
IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28

johnpoz · Oct 19, 2017, 3:43 PM

If they are sending it down the tunnel… Then just correct your forwards..

Your flags are P not SYN... So that would not be allowed in anyway.. I don't see a SYN packet there.. ~~or [SE] or [SEW] depending on what other options might be set like ECN or CWR, etc. Maybe it got scratched out with how you posted it?

It's so much easier if you just downloaded the capture and viewed in wireshark or something.. post up the pcap..

But again your forwards are wrong… Your dest should be your opt1 address.. And what firewall rules do you have on the opt1 interface? Are you blocking rfc1918.. I would assume your tunnel would be rfc1918..

The doc really goes overthing you need to do to troubleshoot... If your seeing the traffic on the interface and your saying icmp is being forwarded through.. Which more likely or not its just the vpn public IP answering vs pushing that down the tunnel.

Then sniff on your interface your sending it to - is pfsense sending it on? Maybe the host is not answering. Firewal - ssh not running on the host.. Wrong IP of the host.. It is all in the troubleshooting doc.~~