LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-30-2014, 08:04 AM   #1
oliverkinne
LQ Newbie
 
Registered: Jul 2014
Posts: 6

Rep: Reputation: Disabled
Forward port 2201 on VM host to port 22 on VM guest


This is my first post on linuxquestions.org, so please be gentle.

I've been spending hours and hours to try and work this out and am stuck. I must be missing something really obvious - and I must admit, I'm by no means a Linux expert.

So here it is. I've set up a CentOS VM host running Xen and on it a CentOS VM guest. The host VM uses NAT and then DHCP to give the guest VMs a private IP in the range 192.168.1.100-200 -- and my specific CentOS guest VM sets 192.168.1.50 statically as its address.

Now, rather than me using PuTTY or similar to set up an SSH tunnel from my computer, via the host VM to the guest VM, I want to configure the host VM to redirect all incoming connections to port 2201 to the guest VM's port 22.

I am hoping to then be able to SSH onto port 2201 on the host VM, which then redirects me to port 22 on the guest VM - making the remote SSH a lot simpler.

However, I'm stuck. I can SSH to the host VM and then from there SSH to the guest VM. So I know that the guest VM is receiving SSH connections correctly.

My iptables setup is currently as follows - and I think I've covered everything, but obviously not. Any help would be very much appreciated:

Table: filter

Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 192.168.1.50 tcp dpt:2201
2 ACCEPT all -- 0.0.0.0/0 192.168.1.0/24 state RELATED,ESTABLISHED
3 ACCEPT all -- 192.168.1.0/24 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
6 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Table: mangle

Chain PREROUTING (policy ACCEPT)
num target prot opt source destination

Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 CHECKSUM udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill

Table: nat

Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2201 to:192.168.1.50:22

Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE tcp -- 192.168.1.0/24 !192.168.1.0/24 masq ports: 1024-65535
2 MASQUERADE udp -- 192.168.1.0/24 !192.168.1.0/24 masq ports: 1024-65535
3 MASQUERADE all -- 192.168.1.0/24 !192.168.1.0/24
4 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
5 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
 
Old 07-30-2014, 11:50 AM   #2
Spatior
Member
 
Registered: Jun 2009
Location: México
Distribution: Suse, Debian based, CentOs
Posts: 48

Rep: Reputation: 10
Hi oliverkinne,

I felt oblidge to answer as fast as I can to this post since I have spend many weeks with NAT problems.

First of all and by no means I'm being rude, I advice that you SHOULD take time to read a little about iptables and the way it implements port forwarding (I recomend tldp.org), networking is very tangled up process and linux is no exception.

now looking at your iptables rules i belive you may have to add the actual redirection in your host

Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumbe
and you may probably want to enable ip_forwarding:

Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
note that the above parameter may give you some headache since it only last as long as te box is running, so you may want to put it in an init script or something.

I'm aware that there are some config giles for this under /etc/sysctl but I have experiences where something goes wrong and that config file is not used/respected/something

HTH
 
1 members found this post helpful.
Old 07-30-2014, 03:19 PM   #3
oliverkinne
LQ Newbie
 
Registered: Jul 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thank you for your reply.

I completely accept your point about reading up more about iptables. It's a big topic and I guess I'm trying to run before I can walk. I'll make sure I spend more time reading up on the subject.

I did my best to try and solve this issue by Googling first and followed all the advice I could find that way and did as much troubleshooting this way too, but without luck. I even posted on Spiceworks and nobody seemed to be able to help.

I'll check out the redirect you're talking about, but I thought I'd already got that in place as follows:
Quote:
Table: nat

Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2201 to:192.168.1.50:22
Let me check it on the box though and see.

Thank you also for the point about enabling forwarding. Again, I'm pretty certain it's enabled, but I'll double-check it also tomorrow and let you know what I find.

As I say, it's probably something obvious I'm missing.

So thank you again for your reply and I'll post my findings here tomorrow - but if anyone else can spot any issues in the meantime, please let me know of course.
 
Old 07-30-2014, 03:38 PM   #4
Spatior
Member
 
Registered: Jun 2009
Location: México
Distribution: Suse, Debian based, CentOs
Posts: 48

Rep: Reputation: 10
Hi again,

Sorry I missed that, yes seems that the rule is in place.

Another suggestion that just came to mind.

Add a rule to log the exactly same rule just so see if it is reaching the point it should

Code:
iptables -t nat -A PREROUTING --dport $srcPortNumber -m limit --limit 2/min -j LOG --log-prefix "NAT\\ "
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumbe
 
1 members found this post helpful.
Old 07-31-2014, 03:07 AM   #5
oliverkinne
LQ Newbie
 
Registered: Jul 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Good point about the logging. I'll start putting the logging it to see what packets the server actually receives and where they end up. That way I can track them through the system and see where they get dropped - if they ever get to the server of course.
 
Old 07-31-2014, 05:52 AM   #6
oliverkinne
LQ Newbie
 
Registered: Jul 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
OK, logging seems odd, but I guess it's intentional. If I try and log packets to port 2201, nothing is logged. However, if I log port 2222, suddenly the log does registers the connections. If I then change the port forwarding to go from 2222 to 22, the logging no longer registers the packets. So I assume the logging gets in there too late and the packet has already been dealt with.

I'll spend some more time on this trying to work out what's going on, but if anyone has any suggestions in the meantime, please reply to this post.
 
Old 07-31-2014, 02:04 PM   #7
Spatior
Member
 
Registered: Jun 2009
Location: México
Distribution: Suse, Debian based, CentOs
Posts: 48

Rep: Reputation: 10
Hi Oliverkinne,

As many other ACLs, iptables behaves sequentially which means that if a you have a set of R rules and inside of those the Nth rule mathces the package the following will no longer be processed.

So you must have in your PREROUTING chain first the Log rule and then the actual redirect.

This behavior seems to me that the package have the Source port = 2222 and it's being catched in the redirect rule.

if you are loading your rules thru a script make sure that the log line is above the redirect, like the example I posted
 
1 members found this post helpful.
Old 08-01-2014, 07:07 AM   #8
oliverkinne
LQ Newbie
 
Registered: Jul 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thank you Spatior, I thought that must be by design. I've not done more checking on this yesterday, but I'll have a look again today to see what's going on.
 
Old 08-05-2014, 10:00 AM   #9
oliverkinne
LQ Newbie
 
Registered: Jul 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Turns out I didn't allow NEW connections on port 2201 to be forwarded to the guest VM. Doh! I knew it was something obvious. It's working now. I ended up using port 2222 to redirect to 22 though, as follows:

# Generated by iptables-save v1.4.7 on Tue Aug 5 15:51:22 2014
*nat
:PREROUTING ACCEPT [2:302]
:INPUT ACCEPT [2:302]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 2222 -m state --state NEW,RELATED,ESTABLISHED -j DNAT --to-dest$
-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -o em1 -p tcp -j MASQUERADE --to-ports 1024-65$
-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -o em1 -p udp -j MASQUERADE --to-ports 1024-65$
-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -o em1 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o em1 -j MASQUERADE
COMMIT
# Completed on Tue Aug 5 15:51:22 2014
# Generated by iptables-save v1.4.7 on Tue Aug 5 15:51:22 2014
*mangle
:PREROUTING ACCEPT [26:2240]
:INPUT ACCEPT [26:2240]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16:2144]
:POSTROUTING ACCEPT [16:2144]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Tue Aug 5 15:51:22 2014
# Generated by iptables-save v1.4.7 on Tue Aug 5 15:51:22 2014
*filter
:INPUT ACCEPT [26:2240]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16:2144]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
-A FORWARD -o virbr0 -p tcp -m tcp --dport 2222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -i em1 -o virbr0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -i virbr0 -o em1 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Aug 5 15:51:22 2014
 
Old 08-06-2014, 09:07 AM   #10
Spatior
Member
 
Registered: Jun 2009
Location: México
Distribution: Suse, Debian based, CentOs
Posts: 48

Rep: Reputation: 10
Thanks for posting your answer, good to know it's solved.

cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
To log in a guest (bridged), do I need to open the port on the host? yzT! Linux - Networking 4 04-08-2014 04:58 AM
setup virtualbox serial com port for XP guest on ubuntu host sorooshstrife Linux - Virtualization and Cloud 4 06-18-2013 07:38 AM
iptables forward port to another host sparkey Linux - Networking 7 04-17-2013 08:49 PM
Do I need to forward port for IP-Based Virtual Host to work ? bobby953 Linux - Newbie 5 03-22-2010 04:30 PM
Forward port 80 for all traffic except to certain host/network fantasygoat Linux - Networking 3 12-04-2009 12:08 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration