| View previous topic :: View next topic |
| Author |
Message |
avitase
n00b
Joined: 26 Apr 2015
Posts: 41
|
 Posted: Mon Aug 07, 2017 2:27 pm Post subject: Connection refused when forwarding ssh to VM on default port |
 |
|
I want to ssh to my virtualbox via default port 22. In order to do so I already activated port forwarding of the virtualbox:
Host:3022 -> VM:22
such that ssh -p 3022 localhost works fine. Now I want to add another port forwarding using iptables to achieve:
Host:22 -> (forward) Host:3022 -> VM:22
such that , as well as from outside will end up in my VM (I changed the ssh port of the host from 22 to 222)
This is my current approach
| Code: | # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:ssh to:127.0.0.1:3022
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination |
and
| Code: | # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere localhost tcp dpt:3022 state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination |
Anyhow, | Code: | | $ ssh -p 3022 localhost |
works, whereas does not, but throws | Code: | | ssh: connect to host localhost port 22: Connection refused |
I set | Code: | | net.ipv4.ip_forward = 1 |
in the /etc/sysctl.conf and activated all kernel modules mentioned in https://wiki.gentoo.org/wiki/Iptables (kernel .config: https://pastebin.com/iRrV8tHH).
These are the commands, that I used to install the iptable rules:
| Code: | iptables -t nat -A PREROUTING -p tcp -i eno1 --dport 22 -j DNAT --to-destination 127.0.0.1:3022
iptables -A FORWARD -p tcp -d 127.0.0.1 --dport 3022 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |
What is it, that I am missing?
EDIT: | Code: | # netstat -lntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3022 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:222 0.0.0.0:* LISTEN
tcp6 0 0 :::222 :::* LISTEN
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:7001 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp6 0 0 :::5353 :::* |
|
|
| Back to top |
|
 |
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21601
|
| Posted: Tue Aug 08, 2017 2:50 am Post subject: |
|
|
| When you use ssh localhost, the interface will be lo. Your rules cover physical interfaces, but not lo. |
|
| Back to top |
|
|
avitase
n00b
Joined: 26 Apr 2015
Posts: 41
|
| Posted: Tue Aug 08, 2017 10:20 am Post subject: |
|
|
Oh, you are right. So this behavior seems reasonable, but I still can't connect from another server. When trying to ssh into the VM (by using the IP of the host and default port 22), the connection does not establish,
| Code: | $ ssh host_of_vm
ssh: connect to host ***.***.***.*** port 22: Connection timed out |
whereas everything works fine when using hosts IP and port 3022. |
|
| Back to top |
|
|
avitase
n00b
Joined: 26 Apr 2015
Posts: 41
|
| Posted: Tue Aug 08, 2017 7:49 pm Post subject: |
|
|
| I found the solution. One has to change the dest. 127.0.0.1:3022 to :3022. The reason for that is exactly what you said about the non-physical device lo. |
|
| Back to top |
|
|
|
Networking & Security
