Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-30-2014, 08:04 AM
|
#1
|
LQ Newbie
Registered: Jul 2014
Posts: 6
Rep:
|
Forward port 2201 on VM host to port 22 on VM guest
This is my first post on linuxquestions.org, so please be gentle.
I've been spending hours and hours to try and work this out and am stuck. I must be missing something really obvious - and I must admit, I'm by no means a Linux expert.
So here it is. I've set up a CentOS VM host running Xen and on it a CentOS VM guest. The host VM uses NAT and then DHCP to give the guest VMs a private IP in the range 192.168.1.100-200 -- and my specific CentOS guest VM sets 192.168.1.50 statically as its address.
Now, rather than me using PuTTY or similar to set up an SSH tunnel from my computer, via the host VM to the guest VM, I want to configure the host VM to redirect all incoming connections to port 2201 to the guest VM's port 22.
I am hoping to then be able to SSH onto port 2201 on the host VM, which then redirects me to port 22 on the guest VM - making the remote SSH a lot simpler.
However, I'm stuck. I can SSH to the host VM and then from there SSH to the guest VM. So I know that the guest VM is receiving SSH connections correctly.
My iptables setup is currently as follows - and I think I've covered everything, but obviously not. Any help would be very much appreciated:
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 192.168.1.50 tcp dpt:2201
2 ACCEPT all -- 0.0.0.0/0 192.168.1.0/24 state RELATED,ESTABLISHED
3 ACCEPT all -- 192.168.1.0/24 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
6 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 CHECKSUM udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2201 to:192.168.1.50:22
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE tcp -- 192.168.1.0/24 !192.168.1.0/24 masq ports: 1024-65535
2 MASQUERADE udp -- 192.168.1.0/24 !192.168.1.0/24 masq ports: 1024-65535
3 MASQUERADE all -- 192.168.1.0/24 !192.168.1.0/24
4 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
5 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
07-30-2014, 11:50 AM
|
#2
|
Member
Registered: Jun 2009
Location: México
Distribution: Suse, Debian based, CentOs
Posts: 48
Rep:
|
Hi oliverkinne,
I felt oblidge to answer as fast as I can to this post since I have spend many weeks with NAT problems.
First of all and by no means I'm being rude, I advice that you SHOULD take time to read a little about iptables and the way it implements port forwarding (I recomend tldp.org), networking is very tangled up process and linux is no exception.
now looking at your iptables rules i belive you may have to add the actual redirection in your host
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumbe
and you may probably want to enable ip_forwarding:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
note that the above parameter may give you some headache since it only last as long as te box is running, so you may want to put it in an init script or something.
I'm aware that there are some config giles for this under /etc/sysctl but I have experiences where something goes wrong and that config file is not used/respected/something
HTH
|
|
1 members found this post helpful.
|
07-30-2014, 03:19 PM
|
#3
|
LQ Newbie
Registered: Jul 2014
Posts: 6
Original Poster
Rep:
|
Thank you for your reply.
I completely accept your point about reading up more about iptables. It's a big topic and I guess I'm trying to run before I can walk. I'll make sure I spend more time reading up on the subject.
I did my best to try and solve this issue by Googling first and followed all the advice I could find that way and did as much troubleshooting this way too, but without luck. I even posted on Spiceworks and nobody seemed to be able to help.
I'll check out the redirect you're talking about, but I thought I'd already got that in place as follows:
Quote:
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2201 to:192.168.1.50:22
|
Let me check it on the box though and see.
Thank you also for the point about enabling forwarding. Again, I'm pretty certain it's enabled, but I'll double-check it also tomorrow and let you know what I find.
As I say, it's probably something obvious I'm missing.
So thank you again for your reply and I'll post my findings here tomorrow - but if anyone else can spot any issues in the meantime, please let me know of course.
|
|
|
07-30-2014, 03:38 PM
|
#4
|
Member
Registered: Jun 2009
Location: México
Distribution: Suse, Debian based, CentOs
Posts: 48
Rep:
|
Hi again,
Sorry I missed that, yes seems that the rule is in place.
Another suggestion that just came to mind.
Add a rule to log the exactly same rule just so see if it is reaching the point it should
Code:
iptables -t nat -A PREROUTING --dport $srcPortNumber -m limit --limit 2/min -j LOG --log-prefix "NAT\\ "
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumbe
|
|
1 members found this post helpful.
|
07-31-2014, 03:07 AM
|
#5
|
LQ Newbie
Registered: Jul 2014
Posts: 6
Original Poster
Rep:
|
Good point about the logging. I'll start putting the logging it to see what packets the server actually receives and where they end up. That way I can track them through the system and see where they get dropped - if they ever get to the server of course.
|
|
|
07-31-2014, 05:52 AM
|
#6
|
LQ Newbie
Registered: Jul 2014
Posts: 6
Original Poster
Rep:
|
OK, logging seems odd, but I guess it's intentional. If I try and log packets to port 2201, nothing is logged. However, if I log port 2222, suddenly the log does registers the connections. If I then change the port forwarding to go from 2222 to 22, the logging no longer registers the packets. So I assume the logging gets in there too late and the packet has already been dealt with.
I'll spend some more time on this trying to work out what's going on, but if anyone has any suggestions in the meantime, please reply to this post.
|
|
|
07-31-2014, 02:04 PM
|
#7
|
Member
Registered: Jun 2009
Location: México
Distribution: Suse, Debian based, CentOs
Posts: 48
Rep:
|
Hi Oliverkinne,
As many other ACLs, iptables behaves sequentially which means that if a you have a set of R rules and inside of those the Nth rule mathces the package the following will no longer be processed.
So you must have in your PREROUTING chain first the Log rule and then the actual redirect.
This behavior seems to me that the package have the Source port = 2222 and it's being catched in the redirect rule.
if you are loading your rules thru a script make sure that the log line is above the redirect, like the example I posted
|
|
1 members found this post helpful.
|
08-01-2014, 07:07 AM
|
#8
|
LQ Newbie
Registered: Jul 2014
Posts: 6
Original Poster
Rep:
|
Thank you Spatior, I thought that must be by design. I've not done more checking on this yesterday, but I'll have a look again today to see what's going on.
|
|
|
08-05-2014, 10:00 AM
|
#9
|
LQ Newbie
Registered: Jul 2014
Posts: 6
Original Poster
Rep:
|
Turns out I didn't allow NEW connections on port 2201 to be forwarded to the guest VM. Doh! I knew it was something obvious. It's working now. I ended up using port 2222 to redirect to 22 though, as follows:
# Generated by iptables-save v1.4.7 on Tue Aug 5 15:51:22 2014
*nat
:PREROUTING ACCEPT [2:302]
:INPUT ACCEPT [2:302]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 2222 -m state --state NEW,RELATED,ESTABLISHED -j DNAT --to-dest$
-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -o em1 -p tcp -j MASQUERADE --to-ports 1024-65$
-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -o em1 -p udp -j MASQUERADE --to-ports 1024-65$
-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -o em1 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o em1 -j MASQUERADE
COMMIT
# Completed on Tue Aug 5 15:51:22 2014
# Generated by iptables-save v1.4.7 on Tue Aug 5 15:51:22 2014
*mangle
:PREROUTING ACCEPT [26:2240]
:INPUT ACCEPT [26:2240]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16:2144]
:POSTROUTING ACCEPT [16:2144]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Tue Aug 5 15:51:22 2014
# Generated by iptables-save v1.4.7 on Tue Aug 5 15:51:22 2014
*filter
:INPUT ACCEPT [26:2240]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16:2144]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
-A FORWARD -o virbr0 -p tcp -m tcp --dport 2222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -i em1 -o virbr0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -i virbr0 -o em1 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Aug 5 15:51:22 2014
|
|
|
08-06-2014, 09:07 AM
|
#10
|
Member
Registered: Jun 2009
Location: México
Distribution: Suse, Debian based, CentOs
Posts: 48
Rep:
|
Thanks for posting your answer, good to know it's solved.
cheers
|
|
|
All times are GMT -5. The time now is 03:46 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|