Re: SSH port forward with firewalld

Thu, 28 Apr 2016 04:30:33 -0700 

Hi,

i see 2 basic ways howto go about this

firstly,
yes, you can solve this by port-forwarding on the iptables level on the host machine. Unfortunately, i dont use firewalld, i use only iptables, so can't say if your config is right or not. 

But basically if the forwarding firewall rule works, then after you issue:

ssh user@IP-of-host-machine -p portnumber-that-is-forwarded
then you are immediately redirected at guest machine and you should get pw prompt from guest - if not, something is wrong - probably on firewall. 



secondly,
you can use ssh tunnel and tunnel your ssh session through your host to your guest very quickly
from your laptop (this assumes both sshd daemons on guest and host use 22 port) 

ssh -L 22222:IP-of-guest-virt-machine:22  user@IP-of-host-machine

this establishes the ssh tunnel

next goes:
ssh user@localhost -p 22222

you should get the pw prompt from guest machine

check, if your host machine forwards packets in /etc/sysctl.conf
net.ipv4.ip_forward = 1


cheers,


--
*Karel Lang*
*Unix/Linux Administration*
[email protected] | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz

On 04/28/2016 09:59 AM, Benjamin Lefoul wrote:

Hi!

I have a KVM guest called "streeling" running on physicalhost "trantor".
I can easily ssh to "trantor", and from there ssh to "streeling", put I
cannot seem to be able to set the port forward properly to ssh directly
to "streeling" ("Connection refused"). This should be simple enough to
follow through:

seldon@anacreon:~ $ head .ssh/config
Host streeling
     Hostname 10.0.75.192
     Port 4077
     User root

Host trantor
     Hostname 10.0.75.192
     ForwardX11=yes
     User seldon
seldon@anacreon:~ $ ssh streeling
ssh: connect to host 10.0.75.192 port 4077: Connection refused
seldon@anacreon:~ $ ssh trantor
Last login: Thu Apr 28 09:31:52 2016 from 10.0.75.177
seldon@trantor:~ $ sudo virsh list
  Id    Name                           State
----------------------------------------------------
  2     streeling                      running
  3     mycogen                        running
  4     dahl                           running

seldon@trantor:~ $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
        valid_lft forever preferred_lft forever
     inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: enp4s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
     link/ether 6c:62:6d:6a:ab:fc brd ff:ff:ff:ff:ff:ff
     inet 10.0.75.192/24 brd 10.0.75.255 scope global enp4s1
        valid_lft forever preferred_lft forever
     inet6 fe80::6e62:6dff:fe6a:abfc/64 scope link
        valid_lft forever preferred_lft forever
3: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
     link/ether 52:54:00:0d:4a:73 brd ff:ff:ff:ff:ff:ff
     inet 192.168.128.1/24 brd 192.168.128.255 scope global virbr1
        valid_lft forever preferred_lft forever
4: virbr1-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master
virbr1 state DOWN qlen 500
     link/ether 52:54:00:0d:4a:73 brd ff:ff:ff:ff:ff:ff
5: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
master virbr1 state UNKNOWN qlen 500
     link/ether fe:54:00:89:ac:bc brd ff:ff:ff:ff:ff:ff
     inet6 fe80::fc54:ff:fe89:acbc/64 scope link
        valid_lft forever preferred_lft forever
seldon@trantor:~ $ getenforce
Enforcing
seldon@trantor:~ $ sudo grep "Port" /etc/ssh/sshd_config
Port 22
Port 4077
seldon@trantor:~ $ sudo semanage port -l | grep ssh
ssh_port_t                     tcp      4077, 22
seldon@trantor:~ $ cat /proc/sys/net/ipv4/ip_forward
1
seldon@trantor:~ $ head -4 .ssh/config
Host streeling
     Hostname 192.168.128.128
     User root

seldon@trantor:~ $ sudo firewall-cmd --list-all
public (default, active)
   interfaces: enp4s1
   sources:
   services: ssh
   ports: 4077/tcp
   masquerade: yes
   forward-ports: port=4077:proto=tcp:toport=22:toaddr=192.168.128.128
   icmp-blocks:
   rich rules:

seldon@trantor:~ $ ssh streeling
Last login: Thu Apr 28 09:10:57 2016 from 192.168.128.1
root@streeling:~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
        valid_lft forever preferred_lft forever
     inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
UP group default qlen 1000
     link/ether 52:54:00:89:ac:bc brd ff:ff:ff:ff:ff:ff
     inet 192.168.128.128/24 brd 192.168.128.255 scope global ens3
        valid_lft forever preferred_lft forever
     inet6 fe80::5054:ff:fe89:acbc/64 scope link
        valid_lft forever preferred_lft forever

What should I do?


Regards,


Benjamin Lefoul

Reply via email to