Can't access port forwarded services only from my Raspberry Pi

dark-steveneq · 30 November 2023 09:50

Required Information

DietPi version | G_DIETPI_VERSION_CORE=8 G_DIETPI_VERSION_SUB=23 G_DIETPI_VERSION_RC=3 G_GITBRANCH='master' G_GITOWNER='MichaIng' G_LIVE_PATCH_STATUS[0]='applied' G_LIVE_PATCH_STATUS[1]='not applied'
Distro version | bookworm
Kernel version | Linux homserv 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
Architecture | arm64
SBC model | RPi4
Power supply used | Phone charger
SD card used | Some PNY 32GB Micro SD Card

Steps to reproduce

Setup port forwarding on whatever ports (SSH for example)

Expected behaviour

You should be able to SSH into your Pi or whatever you’re using.

Actual behaviour

Only ping replies when trying to connect to my router’s IP when on the same network

Extra details

Everything except SSH is hosted inside of Docker containers
I could port forward just fine from my desktop (KasmVNC Docker container)
I’m using TP-Link Archer C6 v.4

trendy · 30 November 2023 11:17

What is the output of: ss -tunlp; iptables-save -c ?

Joulinar · 30 November 2023 11:18

I’m not sure where port forwarding is activated or enabled or what exactly is the use case?

dark-steveneq · 30 November 2023 12:36

Netid State  Recv-Q Send-Q Local Address:Port  Peer Address:PortProcess                                                                                                                                   [0/14]udp   UNCONN 0      0            0.0.0.0:21027      0.0.0.0:*    users:(("docker-proxy",pid=1544,fd=4))                                                                                                         udp   UNCONN 0      0            0.0.0.0:59953      0.0.0.0:*    users:(("agent",pid=69006,fd=12))                                                                                                              udp   UNCONN 0      0            0.0.0.0:25565      0.0.0.0:*    users:(("docker-proxy",pid=34032,fd=4))                                                                                                        udp   UNCONN 0      0            0.0.0.0:42225      0.0.0.0:*    users:(("agent",pid=69006,fd=10))                                                                                                              udp   UNCONN 0      0            0.0.0.0:34081      0.0.0.0:*    users:(("syncthing",pid=3340,fd=14))                                                                                                           udp   UNCONN 0      0            0.0.0.0:27960      0.0.0.0:*    users:(("docker-proxy",pid=1180,fd=4))                                                                                                         udp   UNCONN 0      0            0.0.0.0:22000      0.0.0.0:*    users:(("docker-proxy",pid=1520,fd=4))                                                                                                         udp   UNCONN 0      0            0.0.0.0:53         0.0.0.0:*    users:(("docker-proxy",pid=1422,fd=4))                                                                                                         udp   UNCONN 0      0            0.0.0.0:68         0.0.0.0:*    users:(("dhclient",pid=355,fd=7))                                                                                                              udp   UNCONN 0      0                  *:21027            *:*    users:(("docker-proxy",pid=1550,fd=4))                                                                                                         udp   UNCONN 0      0                  *:55933            *:*    users:(("agent",pid=69006,fd=11))                                                                                                              udp   UNCONN 0      0                  *:25565            *:*    users:(("docker-proxy",pid=34042,fd=4))                                                                                                        udp   UNCONN 0      0                  *:27960            *:*    users:(("docker-proxy",pid=1192,fd=4))                                                                                                         udp   UNCONN 0      0                  *:52610            *:*    users:(("syncthing",pid=3340,fd=15))
udp   UNCONN 0      0                  *:22000            *:*    users:(("docker-proxy",pid=1528,fd=4))
udp   UNCONN 0      0                  *:53               *:*    users:(("docker-proxy",pid=1430,fd=4))
tcp   LISTEN 0      4096         0.0.0.0:22000      0.0.0.0:*    users:(("docker-proxy",pid=1476,fd=4))
tcp   LISTEN 0      4096         0.0.0.0:1181       0.0.0.0:*    users:(("docker-proxy",pid=1499,fd=4))
tcp   LISTEN 0      4096         0.0.0.0:1189       0.0.0.0:*    users:(("docker-proxy",pid=1220,fd=4))
tcp   LISTEN 0      4096         0.0.0.0:1185       0.0.0.0:*    users:(("docker-proxy",pid=1397,fd=4))
tcp   LISTEN 0      4096         0.0.0.0:1085       0.0.0.0:*    users:(("docker-proxy",pid=1451,fd=4))
tcp   LISTEN 0      4096         0.0.0.0:1083       0.0.0.0:*    users:(("docker-proxy",pid=1565,fd=4))
tcp   LISTEN 0      4096         0.0.0.0:1081       0.0.0.0:*    users:(("docker-proxy",pid=1238,fd=4))
tcp   LISTEN 0      4096         0.0.0.0:1088       0.0.0.0:*    users:(("docker-proxy",pid=1260,fd=4))
tcp   LISTEN 0      4096         0.0.0.0:445        0.0.0.0:*    users:(("docker-proxy",pid=1280,fd=4))
tcp   LISTEN 0      511          0.0.0.0:443        0.0.0.0:*    users:(("nginx",pid=2792,fd=8),("nginx",pid=2791,fd=8),("nginx",pid=2790,fd=8),("nginx",pid=2789,fd=8),("nginx",pid=1645,fd=8))
tcp   LISTEN 0      128          0.0.0.0:22         0.0.0.0:*    users:(("sshd",pid=452,fd=3))
tcp   LISTEN 0      4096         0.0.0.0:53         0.0.0.0:*    users:(("docker-proxy",pid=1377,fd=4))
tcp   LISTEN 0      511          0.0.0.0:88         0.0.0.0:*    users:(("nginx",pid=2792,fd=7),("nginx",pid=2791,fd=7),("nginx",pid=2790,fd=7),("nginx",pid=2789,fd=7),("nginx",pid=1645,fd=7))
tcp   LISTEN 0      511          0.0.0.0:86         0.0.0.0:*    users:(("nginx",pid=2792,fd=9),("nginx",pid=2791,fd=9),("nginx",pid=2790,fd=9),("nginx",pid=2789,fd=9),("nginx",pid=1645,fd=9))
tcp   LISTEN 0      511          0.0.0.0:85         0.0.0.0:*    users:(("nginx",pid=2792,fd=11),("nginx",pid=2791,fd=11),("nginx",pid=2790,fd=11),("nginx",pid=2789,fd=11),("nginx",pid=1645,fd=11))
tcp   LISTEN 0      511          0.0.0.0:81         0.0.0.0:*    users:(("nginx",pid=2792,fd=10),("nginx",pid=2791,fd=10),("nginx",pid=2790,fd=10),("nginx",pid=2789,fd=10),("nginx",pid=1645,fd=10))
tcp   LISTEN 0      511          0.0.0.0:80         0.0.0.0:*    users:(("nginx",pid=2792,fd=6),("nginx",pid=2791,fd=6),("nginx",pid=2790,fd=6),("nginx",pid=2789,fd=6),("nginx",pid=1645,fd=6))
tcp   LISTEN 0      4096         0.0.0.0:25565      0.0.0.0:*    users:(("docker-proxy",pid=34010,fd=4))
tcp   LISTEN 0      4096         0.0.0.0:6667       0.0.0.0:*    users:(("docker-proxy",pid=1193,fd=4))
tcp   LISTEN 0      4096            [::]:22000         [::]:*    users:(("docker-proxy",pid=1484,fd=4))
tcp   LISTEN 0      4096               *:1183             *:*    users:(("syncthing",pid=3340,fd=12))
tcp   LISTEN 0      4096            [::]:1181          [::]:*    users:(("docker-proxy",pid=1510,fd=4))
tcp   LISTEN 0      4096            [::]:1189          [::]:*    users:(("docker-proxy",pid=1227,fd=4))
tcp   LISTEN 0      4096            [::]:1185          [::]:*    users:(("docker-proxy",pid=1404,fd=4))
tcp   LISTEN 0      4096            [::]:1085          [::]:*    users:(("docker-proxy",pid=1457,fd=4))
tcp   LISTEN 0      4096            [::]:1083          [::]:*    users:(("docker-proxy",pid=1571,fd=4))
tcp   LISTEN 0      4096            [::]:1081          [::]:*    users:(("docker-proxy",pid=1245,fd=4))
tcp   LISTEN 0      4096            [::]:1088          [::]:*    users:(("docker-proxy",pid=1266,fd=4))
tcp   LISTEN 0      4096            [::]:445           [::]:*    users:(("docker-proxy",pid=1288,fd=4))
tcp   LISTEN 0      4096            [::]:53            [::]:*    users:(("docker-proxy",pid=1384,fd=4))
tcp   LISTEN 0      4096            [::]:25565         [::]:*    users:(("docker-proxy",pid=34017,fd=4))
tcp   LISTEN 0      4096            [::]:6667          [::]:*    users:(("docker-proxy",pid=1205,fd=4))

iptables-save isn’t installed on my system

trendy · 30 November 2023 12:48

Are you able to access it with SSH from inside the lan? The only problem is the connections from the internet?

nft or some other firewall?

Joulinar · 30 November 2023 12:50

I guess we need to know the use case. Who need to connect to whom and on which service.?

dark-steveneq · 30 November 2023 13:15

Use case? DNS server, Samba share, Navidrome server but also a Minecraft server since yesterday.

This thing might also answer some questions

dark-steveneq · 30 November 2023 13:17

Once i figure out port forwarding “locally”, I’ll probably forward game servers and maybe something like Wireguard.

Joulinar · 30 November 2023 14:03

I don’t see where DietPi or RPi is involved. Port forwarding is happening on 2 TP-Link router + DSL modem. The Raspberry Pi is just providing target ports of your individual app. That’s it. There is no port forwarding done on the RPi.

dark-steveneq · 30 November 2023 14:17

Maybe I’ve just worded that wrong. All I meant was that I can’t access my services from the 192.168.10.1 network when using the router’s IP (192.168.10.109) even though I’m forwarding these ports on it. Also, I recall everything worked for me on RPi OS before I switched to DietPi.

Also that DSL modem is just supposed to represent my Internet connection

dark-steveneq · 30 November 2023 14:30

Not really from the Internet, just from the outside of the LAN my Pi is on. Also here’s the iptables-save -c output, just forgot that sudo applies only to the first command

# Generated by iptables-save v1.8.9 (nf_tables) on Thu Nov 30 15:29:06 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[6696:8094949] -A FORWARD -j DOCKER-USER
[6696:8094949] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[2:370] -A FORWARD -o br-fc32332fbcb0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-fc32332fbcb0 -j DOCKER
[3:192] -A FORWARD -i br-fc32332fbcb0 ! -o br-fc32332fbcb0 -j ACCEPT
[0:0] -A FORWARD -i br-fc32332fbcb0 -o br-fc32332fbcb0 -j ACCEPT
[0:0] -A FORWARD -o br-faa4a49f13dd -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-faa4a49f13dd -j DOCKER
[0:0] -A FORWARD -i br-faa4a49f13dd ! -o br-faa4a49f13dd -j ACCEPT
[0:0] -A FORWARD -i br-faa4a49f13dd -o br-faa4a49f13dd -j ACCEPT
[20:3840] -A FORWARD -o br-9d6b1dd46f81 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-9d6b1dd46f81 -j DOCKER
[27:1732] -A FORWARD -i br-9d6b1dd46f81 ! -o br-9d6b1dd46f81 -j ACCEPT
[0:0] -A FORWARD -i br-9d6b1dd46f81 -o br-9d6b1dd46f81 -j ACCEPT
[0:0] -A FORWARD -o br-978731da12c2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-978731da12c2 -j DOCKER
[0:0] -A FORWARD -i br-978731da12c2 ! -o br-978731da12c2 -j ACCEPT
[0:0] -A FORWARD -i br-978731da12c2 -o br-978731da12c2 -j ACCEPT
[21:6850] -A FORWARD -o br-1fdc518aa206 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-1fdc518aa206 -j DOCKER
[23:1847] -A FORWARD -i br-1fdc518aa206 ! -o br-1fdc518aa206 -j ACCEPT
[0:0] -A FORWARD -i br-1fdc518aa206 -o br-1fdc518aa206 -j ACCEPT
[3435:7799512] -A FORWARD -o br-19f2c174e97a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[103:6578] -A FORWARD -o br-19f2c174e97a -j DOCKER
[3038:256984] -A FORWARD -i br-19f2c174e97a ! -o br-19f2c174e97a -j ACCEPT
[0:0] -A FORWARD -i br-19f2c174e97a -o br-19f2c174e97a -j ACCEPT
[0:0] -A FORWARD -o br-fb4be02bea41 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-fb4be02bea41 -j DOCKER
[0:0] -A FORWARD -i br-fb4be02bea41 ! -o br-fb4be02bea41 -j ACCEPT
[0:0] -A FORWARD -i br-fb4be02bea41 -o br-fb4be02bea41 -j ACCEPT
[0:0] -A FORWARD -o br-d2c204f1da03 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-d2c204f1da03 -j DOCKER
[0:0] -A FORWARD -i br-d2c204f1da03 ! -o br-d2c204f1da03 -j ACCEPT
[0:0] -A FORWARD -i br-d2c204f1da03 -o br-d2c204f1da03 -j ACCEPT
[0:0] -A FORWARD -o br-a794f7fcec3b -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[14:11820] -A FORWARD -o br-a794f7fcec3b -j DOCKER
[10:5224] -A FORWARD -i br-a794f7fcec3b ! -o br-a794f7fcec3b -j ACCEPT
[0:0] -A FORWARD -i br-a794f7fcec3b -o br-a794f7fcec3b -j ACCEPT
[0:0] -A FORWARD -o br-74661a721ab3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-74661a721ab3 -j DOCKER
[0:0] -A FORWARD -i br-74661a721ab3 ! -o br-74661a721ab3 -j ACCEPT
[0:0] -A FORWARD -i br-74661a721ab3 -o br-74661a721ab3 -j ACCEPT
[0:0] -A FORWARD -o br-0df3e9d818d3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-0df3e9d818d3 -j DOCKER
[0:0] -A FORWARD -i br-0df3e9d818d3 ! -o br-0df3e9d818d3 -j ACCEPT
[0:0] -A FORWARD -i br-0df3e9d818d3 -o br-0df3e9d818d3 -j ACCEPT
[0:0] -A DOCKER -d 192.168.48.2/32 ! -i br-fb4be02bea41 -o br-fb4be02bea41 -p tcp -m tcp --dport 8000 -j ACCEPT
[5:300] -A DOCKER -d 192.168.32.2/32 ! -i br-a794f7fcec3b -o br-a794f7fcec3b -p tcp -m tcp --dport 22000 -j ACCEPT
[9:11520] -A DOCKER -d 192.168.32.2/32 ! -i br-a794f7fcec3b -o br-a794f7fcec3b -p udp -m udp --dport 22000 -j ACCEPT
[0:0] -A DOCKER -d 192.168.32.2/32 ! -i br-a794f7fcec3b -o br-a794f7fcec3b -p udp -m udp --dport 21027 -j ACCEPT
[0:0] -A DOCKER -d 192.168.32.2/32 ! -i br-a794f7fcec3b -o br-a794f7fcec3b -p tcp -m tcp --dport 8334 -j ACCEPT
[0:0] -A DOCKER -d 172.20.0.2/32 ! -i br-fc32332fbcb0 -o br-fc32332fbcb0 -p tcp -m tcp --dport 25565 -j ACCEPT
[0:0] -A DOCKER -d 172.20.0.2/32 ! -i br-fc32332fbcb0 -o br-fc32332fbcb0 -p udp -m udp --dport 25565 -j ACCEPT
[0:0] -A DOCKER -d 172.27.0.3/32 ! -i br-1fdc518aa206 -o br-1fdc518aa206 -p tcp -m tcp --dport 4533 -j ACCEPT
[0:0] -A DOCKER -d 192.168.112.2/32 ! -i br-19f2c174e97a -o br-19f2c174e97a -p tcp -m tcp --dport 53 -j ACCEPT
[103:6578] -A DOCKER -d 192.168.112.2/32 ! -i br-19f2c174e97a -o br-19f2c174e97a -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A DOCKER -d 172.19.0.2/32 ! -i br-d2c204f1da03 -o br-d2c204f1da03 -p udp -m udp --dport 27960 -j ACCEPT
[0:0] -A DOCKER -d 172.26.0.2/32 ! -i br-9d6b1dd46f81 -o br-9d6b1dd46f81 -p tcp -m tcp --dport 6667 -j ACCEPT
[0:0] -A DOCKER -d 172.26.0.2/32 ! -i br-9d6b1dd46f81 -o br-9d6b1dd46f81 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A DOCKER -d 172.27.0.4/32 ! -i br-1fdc518aa206 -o br-1fdc518aa206 -p tcp -m tcp --dport 8081 -j ACCEPT
[0:0] -A DOCKER -d 172.28.0.3/32 ! -i br-978731da12c2 -o br-978731da12c2 -p tcp -m tcp --dport 3000 -j ACCEPT
[0:0] -A DOCKER -d 192.168.32.3/32 ! -i br-a794f7fcec3b -o br-a794f7fcec3b -p tcp -m tcp --dport 445 -j ACCEPT
[0:0] -A DOCKER -d 172.28.0.4/32 ! -i br-978731da12c2 -o br-978731da12c2 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[3:192] -A DOCKER-ISOLATION-STAGE-1 -i br-fc32332fbcb0 ! -o br-fc32332fbcb0 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-faa4a49f13dd ! -o br-faa4a49f13dd -j DOCKER-ISOLATION-STAGE-2
[27:1732] -A DOCKER-ISOLATION-STAGE-1 -i br-9d6b1dd46f81 ! -o br-9d6b1dd46f81 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-978731da12c2 ! -o br-978731da12c2 -j DOCKER-ISOLATION-STAGE-2
[23:1847] -A DOCKER-ISOLATION-STAGE-1 -i br-1fdc518aa206 ! -o br-1fdc518aa206 -j DOCKER-ISOLATION-STAGE-2
[3038:256984] -A DOCKER-ISOLATION-STAGE-1 -i br-19f2c174e97a ! -o br-19f2c174e97a -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-fb4be02bea41 ! -o br-fb4be02bea41 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-d2c204f1da03 ! -o br-d2c204f1da03 -j DOCKER-ISOLATION-STAGE-2
[10:5224] -A DOCKER-ISOLATION-STAGE-1 -i br-a794f7fcec3b ! -o br-a794f7fcec3b -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-74661a721ab3 ! -o br-74661a721ab3 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-0df3e9d818d3 ! -o br-0df3e9d818d3 -j DOCKER-ISOLATION-STAGE-2
[6696:8094949] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-fc32332fbcb0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-faa4a49f13dd -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-9d6b1dd46f81 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-978731da12c2 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-1fdc518aa206 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-19f2c174e97a -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-fb4be02bea41 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-d2c204f1da03 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-a794f7fcec3b -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-74661a721ab3 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-0df3e9d818d3 -j DROP
[3101:265979] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[6696:8094949] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Thu Nov 30 15:29:06 2023
# Generated by iptables-save v1.8.9 (nf_tables) on Thu Nov 30 15:29:06 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
[183:13392] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[33:2630] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[2:140] -A POSTROUTING -s 172.20.0.0/16 ! -o br-fc32332fbcb0 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.23.0.0/16 ! -o br-faa4a49f13dd -j MASQUERADE
[3:184] -A POSTROUTING -s 172.26.0.0/16 ! -o br-9d6b1dd46f81 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.28.0.0/16 ! -o br-978731da12c2 -j MASQUERADE
[3:208] -A POSTROUTING -s 172.27.0.0/16 ! -o br-1fdc518aa206 -j MASQUERADE
[124:8612] -A POSTROUTING -s 192.168.112.0/20 ! -o br-19f2c174e97a -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.48.0/20 ! -o br-fb4be02bea41 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.19.0.0/16 ! -o br-d2c204f1da03 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.32.0/20 ! -o br-a794f7fcec3b -j MASQUERADE
[0:0] -A POSTROUTING -s 172.21.0.0/16 ! -o br-74661a721ab3 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.0/16 ! -o br-0df3e9d818d3 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.48.2/32 -d 192.168.48.2/32 -p tcp -m tcp --dport 8000 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.32.2/32 -d 192.168.32.2/32 -p tcp -m tcp --dport 22000 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.32.2/32 -d 192.168.32.2/32 -p udp -m udp --dport 22000 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.32.2/32 -d 192.168.32.2/32 -p udp -m udp --dport 21027 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.32.2/32 -d 192.168.32.2/32 -p tcp -m tcp --dport 8334 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.20.0.2/32 -d 172.20.0.2/32 -p tcp -m tcp --dport 25565 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.20.0.2/32 -d 172.20.0.2/32 -p udp -m udp --dport 25565 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.27.0.3/32 -d 172.27.0.3/32 -p tcp -m tcp --dport 4533 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.112.2/32 -d 192.168.112.2/32 -p tcp -m tcp --dport 53 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.112.2/32 -d 192.168.112.2/32 -p udp -m udp --dport 53 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 27960 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.26.0.2/32 -d 172.26.0.2/32 -p tcp -m tcp --dport 6667 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.26.0.2/32 -d 172.26.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.27.0.4/32 -d 172.27.0.4/32 -p tcp -m tcp --dport 8081 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.28.0.3/32 -d 172.28.0.3/32 -p tcp -m tcp --dport 3000 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.32.3/32 -d 192.168.32.3/32 -p tcp -m tcp --dport 445 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.28.0.4/32 -d 172.28.0.4/32 -p tcp -m tcp --dport 80 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
[1:80] -A DOCKER -i br-fc32332fbcb0 -j RETURN
[0:0] -A DOCKER -i br-faa4a49f13dd -j RETURN
[2:124] -A DOCKER -i br-9d6b1dd46f81 -j RETURN
[0:0] -A DOCKER -i br-978731da12c2 -j RETURN
[2:148] -A DOCKER -i br-1fdc518aa206 -j RETURN
[56:4080] -A DOCKER -i br-19f2c174e97a -j RETURN
[0:0] -A DOCKER -i br-fb4be02bea41 -j RETURN
[0:0] -A DOCKER -i br-d2c204f1da03 -j RETURN
[0:0] -A DOCKER -i br-a794f7fcec3b -j RETURN
[0:0] -A DOCKER -i br-74661a721ab3 -j RETURN
[0:0] -A DOCKER -i br-0df3e9d818d3 -j RETURN
[0:0] -A DOCKER ! -i br-fb4be02bea41 -p tcp -m tcp --dport 1088 -j DNAT --to-destination 192.168.48.2:8000
[2:120] -A DOCKER ! -i br-a794f7fcec3b -p tcp -m tcp --dport 22000 -j DNAT --to-destination 192.168.32.2:22000
[1:1280] -A DOCKER ! -i br-a794f7fcec3b -p udp -m udp --dport 22000 -j DNAT --to-destination 192.168.32.2:22000
[0:0] -A DOCKER ! -i br-a794f7fcec3b -p udp -m udp --dport 21027 -j DNAT --to-destination 192.168.32.2:21027
[0:0] -A DOCKER ! -i br-a794f7fcec3b -p tcp -m tcp --dport 1083 -j DNAT --to-destination 192.168.32.2:8334
[0:0] -A DOCKER ! -i br-fc32332fbcb0 -p tcp -m tcp --dport 25565 -j DNAT --to-destination 172.20.0.2:25565
[0:0] -A DOCKER ! -i br-fc32332fbcb0 -p udp -m udp --dport 25565 -j DNAT --to-destination 172.20.0.2:25565
[0:0] -A DOCKER ! -i br-1fdc518aa206 -p tcp -m tcp --dport 1085 -j DNAT --to-destination 172.27.0.3:4533
[0:0] -A DOCKER ! -i br-19f2c174e97a -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.112.2:53
[131:8884] -A DOCKER ! -i br-19f2c174e97a -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.112.2:53
[0:0] -A DOCKER ! -i br-d2c204f1da03 -p udp -m udp --dport 27960 -j DNAT --to-destination 172.19.0.2:27960
[0:0] -A DOCKER ! -i br-9d6b1dd46f81 -p tcp -m tcp --dport 6667 -j DNAT --to-destination 172.26.0.2:6667
[0:0] -A DOCKER ! -i br-9d6b1dd46f81 -p tcp -m tcp --dport 1189 -j DNAT --to-destination 172.26.0.2:80
[0:0] -A DOCKER ! -i br-1fdc518aa206 -p tcp -m tcp --dport 1185 -j DNAT --to-destination 172.27.0.4:8081
[0:0] -A DOCKER ! -i br-978731da12c2 -p tcp -m tcp --dport 1081 -j DNAT --to-destination 172.28.0.3:3000
[0:0] -A DOCKER ! -i br-a794f7fcec3b -p tcp -m tcp --dport 445 -j DNAT --to-destination 192.168.32.3:445
[0:0] -A DOCKER ! -i br-978731da12c2 -p tcp -m tcp --dport 1181 -j DNAT --to-destination 172.28.0.4:80
COMMIT
# Completed on Thu Nov 30 15:29:06 2023

Jappe · 30 November 2023 14:47

Usually port forwarding in routers mostly mean forwarding from WAN to LAN and not between two LANs. You would need to add the routes between the two subnets into your router config?!

dark-steveneq · 30 November 2023 14:50

I don’t know man, but I could literally connect to a KasmVNC Docker container running on my desktop from 192.168.10.1 network like that.

trendy · 30 November 2023 15:13

What about from the network 192.168.100.x ?
In any case can you verify that packets are coming to the dietpi?

apt update
apt install tcpdump
tcpdump -i eth0 -nv net 192.168.10.0/24 and tcp port 22

dark-steveneq · 30 November 2023 15:17

Everything works fine from 192.168.100.x but not from 192.168.10.x only when connecting to my Pi. Currently I’m booted into RPi OS from a separate SD card and I can access the default Nginx site from 192.168.10.x so it seems like that’s some DietPi-only issue. As I’m writing this, Docker finished installing on RPi OS, so I’ll move on to testing if the same thing would happen.

Joulinar · 30 November 2023 15:38

DietPi has no firewall or routing that will block access. Maybe something on Docker. Would be good to test a very simple scenario. DietPi and a native web server without any docker software installed.

dark-steveneq · 30 November 2023 17:29

Update: Turns out my main Nginx was just poorly configured. Things like Nginx installed on host and Minecraft work without any issues. Sorry for wasting your time.

Jappe · 30 November 2023 17:38

No problem, you came here to find a solution and you found it by yourself

dark-steveneq · 30 November 2023 18:00

Haha, maybe someone some day will find a use out of this thread.

Anyways, time for me to figure out why I can’t seem to be able to connect my Minecraft server from the Internet even though the rule’s there on the other router :3