Answer the question
In order to leave comments, you need to log in
C
C
chronius2017-12-05 21:19:46
chronius, 2017-12-05 21:19:46
What cuts tcp traffic on port 22 on Mikrotik?
There is a Mikrotik, from the internal network I try to connect via ssh (22) to a remote server, but the connection is not established. If you change the port from 22 to another on a remote server, then Mikrotik lets through such traffic and everything works. Where to dig and is it in the router?
firewall
ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
1 chain=forward action=drop src-address=192.168.0.0/24 out-interface-list=!WAN log=no log-prefix=""
2 X ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
3 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
4 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
5 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
9 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
1 chain=forward action=drop src-address=192.168.0.0/24 out-interface-list=!WAN log=no log-prefix=""
2 X ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
3 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
4 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
5 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
9 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
3 answer(s)
@CityCat4
@semenenko88
C
CityCat4, 2017-12-06 @CityCat4
We're in the router. Mikrotik, all the more so, has two unrelated places where exactly 22 and similar ports should be cut off.
- firewall (/ip firewall filter)
- service settings management (/ip services)
A
Alexander Semenenko, 2017-12-05 @semenenko88
Well, the firewall does not rezhit? check the forward chain
Or, in general, show the entire list of firewall rules
Similar questions
E
A
C
M
C
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question