Connection refused when forwarding ssh to VM on default port

Message

avitase · Post by **avitase** » Mon Aug 07, 2017 2:27 pm

I want to ssh to my virtualbox via default port 22. In order to do so I already activated port forwarding of the virtualbox:

Host:3022 -> VM:22

such that ssh -p 3022 localhost works fine. Now I want to add another port forwarding using iptables to achieve:

Host:22 -> (forward) Host:3022 -> VM:22

such that

Code: Select all

$ ssh locahost

, as well as from outside

Code: Select all

$ ssh host

will end up in my VM (I changed the ssh port of the host from 22 to 222)

This is my current approach

Code: Select all

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere             tcp dpt:ssh to:127.0.0.1:3022

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

and

Code: Select all

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             localhost            tcp dpt:3022 state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Anyhow,

Code: Select all

$ ssh -p 3022 localhost

works, whereas

Code: Select all

$ ssh localhost

does not, but throws

Code: Select all

ssh: connect to host localhost port 22: Connection refused

I set

Code: Select all

net.ipv4.ip_forward = 1

in the /etc/sysctl.conf and activated all kernel modules mentioned in https://wiki.gentoo.org/wiki/Iptables (kernel .config: https://pastebin.com/iRrV8tHH).

These are the commands, that I used to install the iptable rules:

Code: Select all

iptables -t nat -A PREROUTING -p tcp -i eno1 --dport 22 -j DNAT --to-destination 127.0.0.1:3022
iptables -A FORWARD -p tcp -d 127.0.0.1 --dport 3022 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

What is it, that I am missing?

EDIT:

Code: Select all

# netstat -lntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:3022            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:222             0.0.0.0:*               LISTEN     
tcp6       0      0 :::222                  :::*                    LISTEN     
udp        0      0 0.0.0.0:5353            0.0.0.0:*                          
udp        0      0 0.0.0.0:7001            0.0.0.0:*                          
udp        0      0 0.0.0.0:68              0.0.0.0:*                          
udp6       0      0 :::5353                 :::*

Post by Hu » Tue Aug 08, 2017 2:50 am

When you use ssh localhost, the interface will be lo. Your rules cover physical interfaces, but not lo.

avitase · Post by **avitase** » Tue Aug 08, 2017 10:20 am

Oh, you are right. So this behavior seems reasonable, but I still can't connect from another server. When trying to ssh into the VM (by using the IP of the host and default port 22), the connection does not establish,

Code: Select all

$ ssh host_of_vm
ssh: connect to host ***.***.***.*** port 22: Connection timed out

whereas everything works fine when using hosts IP and port 3022.

avitase · Post by **avitase** » Tue Aug 08, 2017 7:49 pm

I found the solution. One has to change the dest. 127.0.0.1:3022 to :3022. The reason for that is exactly what you said about the non-physical device lo.