IPTables woes on ReverseSSH NAT traversal link (so close)

etronz · 10-11-2014, 10:56 AM

I've got an IP camera behind a NAT and a carrier grade NAT (GCN). Therefore, traditional port forwarding is out of the question. No hope for IPv6 either, so I've nailed up persistent Reverse SSH connections from the IP Camera's ports (88,443,888) (via a linux box on the same subnet) to a linux VPS with a globally routeable IPv4 address. I can now access the IP camera on the VPS's VNC gnome session, but now i want to turn those IP camera ports towards the VPS' WAN port and make the IP camera accessible via the internet.

So, this involves dabbling in IPTables. I've been reading about this and attempting various port openings and NAT commands(but I've failed dismally). None have worked correctly (the ports are always closed or silent). I could use some help.

IP camera ports 88,443, and 888 show up on 127.0.0.1 loopback on the VPS at colocrossings. How can i use IPTables to translate that to the WAN IP port? I want to be able to type in from from anywhere on the internet: https://my_vps.colocrossing.com:443 and have native access to the IP camera. Preferably, I'd like a string on iptable commands that i can put in a cronjob at startup.

Alternatively, I'm a barking up the wrong tree (a totally different NAT traversal solution?). Thank you for your help.

For reference:

Here are the reverse SSH connections that traverse the NAT:
-----------------------------------------------------------
ssh -i /home/user/.ssh/IP_cam_PKI_autologin -N -R 88:192.168.120.2:88 user@my_vps.colocrossing.com &
ssh -i /home/user/.ssh/IP_cam_PKI_autologin -N -R 888:192.168.120.2:888 user@my_vps.colocrossing.com &
ssh -i /home/user/.ssh/IP_cam_PKI_autologin -N -R 443:192.168.120.2:443 user@my_vps.colocrossing.com &

ReverseSSH for remote access to the Linux box:
---------------------------------------
ssh -i /home/user/.ssh/IP_cam_PKI_autologin -N -R 2244:localhost:22 user@my_vps.colocrossing.com -o ExitOnForwardFailure=yes &

IP Camera's internal NAT network:
------------------------
192.168.120.2
255.255.255.0

Viaero Wireless NATed WAN network:
--------------------------------
10.x.x.x
255.255.255.255

Viaero Wireless' CGN globally routable WAN:
---------------------------------
199.47.67.x
(unknown subnet)

VPS at colocrossings:
---------------------
198.23.x.x
255.255.255.255

etronz · 10-14-2014, 04:50 PM

It turns out I don't have to modify the IP tables after all, the SSHD has a command that automagically makes all reverse SSH sessions show up as wildcards (i.e. the WAN port).

In /etc/ssh/sshd_config script I entered the command: GatewayPorts yes

Now all reverse SSH sessions are showing up as wildcard in netstat:

user@my_vps.colocrossing.com:~$ netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost.localdom:2244 *:* LISTEN
tcp 0 0 localhost.lo:submission *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:2255 *:* LISTEN
tcp 0 0 *:2256 *:* LISTEN
tcp 0 0 *:2257 *:* LISTEN
tcp 0 0 *:http *:* LISTEN

So technically all the reverse SSH ports are accessible via the open internet. I'm able to use HTTP, but HTTPS isn't liking this link. Still working on that.