Remote access to internal machine (ssh port-forwarding)

Posted by MacUsers on Server Fault See other posts from Server Fault or by MacUsers
Published on 2011-11-19T12:36:49Z Indexed on 2011/11/19 17:57 UTC
Read the original article Hit count: 172

I have a server (serv05) at work with a public ip, hosting two KVM guests - vtest1 & vtest2 - in two different private network - 192.168.122.0 & 192.168.100.0 - respectively, this way:

[root@serv05 ~]# ip -o addr show | grep -w inet
1: lo    inet 127.0.0.1/8 scope host lo
2: eth0    inet xxx.xxx.xx.197/24 brd xxx.xxx.xx.255 scope global eth0
4: virbr1    inet 192.168.100.1/24 brd 192.168.100.255 scope global virbr1
6: virbr0    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
#
[root@serv05 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr1
xxx.xxx.xx.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
0.0.0.0         xxx.xxx.xx.62   0.0.0.0         UG    0      0        0 eth0

I've also setup IP FORWARDing and Masquerading this way:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface virbr0 -j ACCEPT

All works up to this point. If I want to remote access vtest1 (or vtest2) first I ssh to serv05 and then from there ssh to vtest1. Is there a way to setup a port forwarding so that vtest1 can be accessed directly from the outside world? This is what I probably need to setup:

 external_ip (tcp port 4444) -> DNAT -> 192.168.122.50 (tcp port 22)

I know it's easily do'able using a SOHO router but can't figure out how can I do that on a Linux box. Any help form you guys?? Cheers!!


Update: 1

Now I've made ssh to listen to both of the ports:

[root@serv05 ssh]# netstat -tulpn | grep ssh
tcp        0      0 xxx.xxx.xx.197:22           0.0.0.0:*         LISTEN     5092/sshd
tcp        0      0 xxx.xxx.xx.197:4444         0.0.0.0:*         LISTEN     5092/sshd

and port 4444 is allowed in the iptables rules:

[root@serv05 sysconfig]# grep 4444 iptables
-A PREROUTING -i eth0 -p tcp -m tcp --dport 4444 -j DNAT --to-destination 192.168.122.50:22 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 4444 -j ACCEPT 
-A FORWARD -i eth0 -p tcp -m tcp --dport 4444 -j ACCEPT 

But I'm getting connection refused:

maci:~ santa$ telnet serv05 4444
Trying xxx.xxx.xx.197...
telnet: connect to address xxx.xxx.xx.197: Connection refused
telnet: Unable to connect to remote host

Any idea what's I'm still missing? Cheers!!

© Server Fault or respective owner

Related posts about ssh

Related posts about iptables