I have an embedded computer running OpenWRT. This implementation has a specialized bit of software which allows for the creation of a virtual machine. This virtual machine is always able to be ssh'ed to from the OpenWRT command line.
Now, in an effort to make maintenance of the VM easier without completely destroying the instance, it would be beneficial if we were able to ssh to the embedded computer on a specific port which would port-forward to the VM. The VM has a static IP address of 1.2.3.4. The embedded computer has a hostname, called "tree", which maps to a static IP address in the range of 11.22.0.1 to 11.22.1.255. The embedded computer has an OpenVPN tunnel which guarantees ssh'ing to it from my PC.
Visually, I want to cut down this:
Code:
---------- ------------------------------------------
| | | |
| | $ ssh root@tree | $ ssh root@1.2.3.4 ------ |
| My PC |--------------------->| OpenWRT ----------------------> | VM | |
| | | ------ |
| | | |
---------- ------------------------------------------
to this:
Code:
---------- ------
| | $ ssh root@tree -p 5678 | |
| My PC |----------------------------->| VM |
| | | |
---------- ------
Using iptables to configure rules seems to be the best option to accomplish this. Here are the commands I have used in the OpenWRT command line (note: iface0 is the VPN tunnel):
Code:
iptables -A PREROUTING -t nat -i iface0 -p tcp -m tcp --dport 5678 -j DNAT --to-destination 1.2.3.4:22
iptables -A FORWARD -i iface0 -s 11.22.0.0/24 -d 1.2.3.4 -j ACCEPT
iptables -A FORWARD -o iface0 -s 1.2.3.4 -d 11.22.0.0/24 -j ACCEPT
However, when performing
Code:
$ ssh root@tree -p 5678
, the connection times out. It's not flat-out rejected as other ports are (such as 5679), so something seems to be happening, but I'm not sure why this isn't getting through.
Any help would be very much appreciated!
iptables - SSH port forwarding to static-IP VM in OpenWRT
