Thank you Gerdriaan, your suggestion has solved the problem .... which actually I had tried before with no success, this means that I was wrong in something else. Your help has been decisive!
A minor issue: I've applied a similar rule to port 5900 and obviously I've launched "systemctl -restart ufw" but now when I run "iptables -t nat -L -n -v" I get the following: ...... Chain PREROUTING (policy ACCEPT 6 packets, 362 bytes) pkts bytes target prot opt in out source destination 6 360 DNAT tcp -- eno1 * 0.0.0.0/0 192.168.1.120 tcp dpt:2222 to:192.168.3.100:2222 0 0 DNAT tcp -- eno1 * 0.0.0.0/0 192.168.1.120 tcp dpt:2222 to:192.168.3.100:2222 0 0 DNAT tcp -- eno1 * 0.0.0.0/0 192.168.1.120 tcp dpts:5900:5910 to:192.168.3.100 ...... i.e. there are two lines (which are the same) referring to ssh and port 2222 I've tried with "iptables -F && ufw reload" and iptables -F ; ufw reload" but I lose control on the Server (i use Xephyr from my pc to drive it), I cannot anymore ssh it and the only way is to restart the Server (which, I admit, is not very professional :-D ). Anyway, it is my Home Server so, if someone has a solution, many thanks for it, otherwise I'll keep on going on the unprofessional way! :-D Thanks to all, Aldo :-) Il giorno Thu, 8 Feb 2018 07:46:46 +0100 Gerdriaan Mulder <naaird...@gmail.com> ha scritto: > Hi Aldo, > > Please also reply to the list, so the other members can read along. > I've redacted your MAC addresses in the quote below, because I think > they are not needed. > > On 7 February 2018 at 23:22, Aldo Maggi <sentini...@virgilio.it> > wrote: > > I switched the level of logging of ufw to "full" and in "kern.log" I > > have found the following: > > root@Casa-mia-1:~# cat /var/log/kern.log |grep -i DPT=2222 > > Feb 7 23:00:12 Casa-mia-1 kernel: [14311.741791] [UFW AUDIT] > > IN=eno1 OUT= MAC=<> SRC=192.168.1.1 > > DST=192.168.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27675 DF > > PROTO=TCP SPT=45892 DPT=2222 WINDOW=65535 RES=0x00 SYN URGP=0 > > > > Feb 7 23:08:48 Casa-mia-1 kernel: [14827.858458] [UFW AUDIT] > > IN=eno1 OUT= MAC=<> SRC=192.168.1.1 > > DST=192.168.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45177 DF > > PROTO=TCP SPT=42165 DPT=2222 WINDOW=65535 RES=0x00 SYN URGP=0 > > > > Feb 7 23:09:50 Casa-mia-1 kernel: [14890.104629] [UFW AUDIT] > > IN=eno1 OUT= MAC=<> SRC=192.168.1.1 > > DST=192.168.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53838 DF > > PROTO=TCP SPT=58074 DPT=2222 WINDOW=65535 RES=0x00 SYN URGP=0 > > So a connection with destination port 2222 has a destination IP > address of 192.168.3.1 in these logs. Your PC has 192.168.3.100, so I > think you need to edit the NAT rule that forwards 2222 to point to > 192.168.3.100 instead of 192.168.3.1. > > ~ Gerdriaan > > > these were three attempt to connect to 192.168.1.120 via ssh on port > > 2222 from my smartphone with Ip 192.168.1.4 in fact its Mac > > (<>) is included inside "MAC=" > > > > Thanks for your help! > > > > Aldo :-) > > > > > > > > Il giorno Wed, 7 Feb 2018 22:27:51 +0100 > > Gerdriaan Mulder <naaird...@gmail.com> ha scritto: > > > >> Can you check whether you can access your home pc from the > >> 192.168.1.0/24 network? So, connect a device to your router on the > >> LAN side, acquire an IP lease in the 192.168.1.0/24 network, and > >> connect to 192.168.1.120 on port 2222. > >> > >> If that doesn't work, can you insert extra logging rules in ufw? > >> Packets that would be dropped then appear in /var/log/kern.log, > >> which helps debugging your problem. > >> > >> ~ Gerdriaan > >> >
