You need a NAT rule (to direct the traffic) and a regular firewall rule (to permit it).
The former will look something like
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4444 -j DNAT --to-destination 192.168.122.50:22
The latter will look something like
iptables -A FORWARD -i eth0 -p tcp --dport 4444 -j ACCEPT
It's up to you to make sure those come at the right point in your existing PREROUTING
and FORWARD
chains, and in addition you may need a second firewall rule to permit the back-half of those connections out, if you don't already have a general ACCEPT
for ESTABLISHED
packets.
Edit: the order of your rules is extremely important. The right rule in the wrong place will do no good. Could you replace the grep output above with the result of iptables -L -n -v
and iptables -t nat -L -n -v
? And if you want port 4444 to be forwarded, don't run a local sshd also bound to that port.
Edit 2: and there's your problem. The ACCEPT you've added in the FORWARD chain is line 7, but line 4 has already explicitly denied all not-previously-permitted traffic from everywhere (*
) to virbr0
. You need to make arrangments for the line you've added to come before line 4, perhaps by adding the rule with
iptables -I FORWARD 4 -i eth0 -p tcp --dport 4444 -j ACCEPT
which will insert it at line 4, displacing the current line 4 to be line 5 (and so on).
Regarding the current sshd, I mean what I said: that you shouldn't have a daemon bound to port 4444 if you're trying to forward that port. I don't care what other ports it's bound to, only that 4444 is a bad idea.
Edit 3: the machine you're testing this from, this is completely outside the serv05 system, yes? And (after a very trying day putting Fedora 16 on several boxes) I fear you may be right, could you put a comparable ACCEPT
rule for 4444 in the INPUT chain as well, being careful to get it before any REJECTs?
You don't want a remote/reverse forwarding, although with the local version (your first example) there would be little difference, except it needs configuration on the server. The option GatewayPorts=yes
is for the ssh server, not for the ssh client.
Try on the server S
ssh -g -L 4444:22.22.22.5:5555 user@localhost
Best Answer
I think the better you can do is open 2 ports on router and redirect them; one for host_a like you has done, and other, for example 1235, to host_b. So you can use
ssh -p 1234 user@X.X.X.X
for host_a andssh -p 1235 user@X.X.X.X
for host_b