When connecting to home PCs, the state of the port "Filtered". Reasons and solutions.

Ситуация: при подключении к домашней сети извне, невозможно подключиться к хосту (машине), состояние портов "Filtered".

What does the state of the Filtered port mean?

When performing a command with Localhost home, everything works.
When performing the connection from the outside, the ports do not respond (you can not connect to them):
You can display the cause on the screen using the key -reaSon

nmap -Pn 192.168.73.14 -p 5900 --reaSon

Reason No. 1. Incorrect routing

In my case, the connection to the home network occurs through the home VPN, and the connection is successful. For example, a home router is available from work to manage them.

Symptoms.

After connecting to a home VPN, a router is available in the home network at xxx.xxx.xxx.1, but a working personal computer (workstation) with the address xxx.xxx.xxx.2 does not respond to Ping and do not work via SSH, VNC and RDP.

Diagnostics

First connected to the home network, then checking the connection and routing

ping 192.168.1.2 # IP адрес целевого (удалённого) ПК

There must be a response

sudo tracerOute 192.168.1.2 # IP address of the target (remote) PC

The path should be very short, of all three knots, for example:

Sudo tracerOute 192.168.1.4
traceroute to 192.168.1.4 (192.168.1.4), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 22.207 ms 23.414 ms 23.587 mS.
2 192.168.1.4 (192.168.1.4) 25.000 ms 24.978 ms 25.004 mS.

Solution
On the PC, from which the connection to the VPN is initiated, you need to connect the route_ through the router in the target local network in the VPN parameters.
НапRimer, if the target network is 192.168.1.0, the router 192.168.1.1, and the target PC has an IP address 192.168.1.2, you need to configure the route from the working PC on the target 192.168.1.2 through the gateway 192.16.1.1. This is done in Netwo settingsrk Manager - Параметры соединений - Параметры IPv4 - Маршруты...


Indicated:

• Address - IP address of the PC in the network to which we connect via VNC / RDP / SSH. For example, 192.168.1.2
• Mask subnet - 255.255.255.0
• The gateway is an IP address of the router in the target network. For example, 192.168.1.1
• Metric 1

Checking the Ping and T commandsracerOute passes, the connection to X11 via VNC and RDP also occur.

Reason No. 2: UWF firewall prohibits the connection to PC

View the list of rules of permits and brandmower prohibitions for incoming connections (Allow in, Deny in):

sudo ufw status numberEd

sudo ufw status numbered > ~/ufw_backUp.txt

You can temporarily turn off the firewall to check the connection without it:

sudo service ufw stop

Turn on if the reason is not in the firewall:

sudo ufw enable

If there is a pity, reinstall the firewall, it can be removed byapt uwf purGE

sudo apt purGE UFW

sudo apt instaLL UFW

Then we manually restore the rules based on a backup copy of the UFW_B Rules ListackUp.txt.
For example, to prohibit the connection to MySQL:

sudo ufw deny 3306/tcp

etc. ..

Reason No. 3: incorrect setup iptables

After removing the UFW firewall, the rules in the IPTables remain, which is surprising.

To view the IPTables rules, you need to enter the command

sudo iptables -L

More detailed information about the rules:

sudo iptables -L -n -v

Where
-L - list (display a list of rules on the screen). You can call -l with the designation of the chain of rules applying to packages. For example:sudo iptables -L INPUT.
-n - numrIC (display the numbers of IP addresses and ports in digital format)
-v - Verbose (detailed information)

Manual adding permits:

sudo iptables -P INPUT ACCEPT
# sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

Resetting all IPTables for the Input branch

sudo iptables -F INPUT

Removing all chains of the rules:

sudo iptables -X

Resetting counters

sudo iptables -Z 

Removing from IPTables правил NAT, maNGLE and RAW

sudo iptables -t nat -f
sudo iptables -t nat -x
sudo iptables -t maNGLE -F
sudo iptables -t maNGLE -X
sudo iptables -t raW -f
sudo iptables -t raW -x

Installation of the IPTables, UFW and Gufw Rules:

sudo apt purge iptables -y && sudo apt install iptaBles UFW Gufw
sudo ufw enable

Examination:

sudo iptables -L

The rules are brought into the initial state.

sudo ufw status numberEd

Station: Active

The user's rules are not yet.
(They can be added by UFW commands, based on a reserve copy of the UFW_B rulesackUp.txt, as written above).

Reason # 4: NFTABLES is included

The server can be installed and launched by NFTables:

cat /etc/nftables.conf

sudo service nftables staTus

By default rules 3 pieces (Input, Forward и output), у сервиса nftables должен быть статус inactive (dead).

Reason No. 5: NOT launched XRDP or X11VNC services

On the server I connect, from Localhost you need to check the ports that are listening to the services:

sudo netstat -plnt

Port 22 - SSHD
Port 3389 - RDP
Port 5900 - VNC

Must be in Listen. If not, checking the status of the relevant services

sudo service sshd staTus
sudo service xrdp staTus
sudo service x11vnc staTus

Reason No. 6. Intermediate hosts and traffic filtering

If ports of ports are used on the home router, but on the path of the traffic there is another router with the firewall included, it can filter requests or response packages to certain ports.
Solutions: use non -standard port numbers on a home router or a stronger solution - send traffic "to the pipe".

Reason No. 7. Various routes to different hosts

Inaccessibility may be associated with a misunderstanding of routes.

by default

• All traffic to a public Internet passes through a working router without wrapping in a tunnel. MARSHRUT 1.
• Only traffic to the home network goes into the tunnel. MARSHRUT 2., etc.

• Also, the IP address of the home network can intersect with the gray IP address of another provider client. That is, your host 192.168.73.1 can exist on the Internet of the Internet provider. Checking - tracerOute.

  Roter settings You can ensure the wrapping of the entire traffic in the tunnel after connecting to the home network.

There are Zyxel Keenetik for routers Documentation on the site support for Keenetik routers).

Note. If ICMP answers to home server are prohibited, they need to be allowed:

sudo nano /etc/Sysctl.conf
net.ipv4.icmp_echo_ignore_all = 1
sysctl -p

The source of this council is a page andreyex.ru - Как заблокировать или разблокировать запросы ping на Ubuntu Server 20.04 LTS на сайте andreyex.ru.

On a Wi -Fi router there is no need to ban the ICMP answers of the Ping team - by default Allow ICMP From LAN.

/IP FIrewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmP.

& nbsp;

Sources:

• IPT documentationables.
• Documentation Keenetik

& nbsp;

Data of the last change: 04/22/2025