Ssh to local network behind a public IP (TCP forwarding)

ip-forwardingport-forwardingssh

I want to connect (using ssh) two remote computers in a local network using a unique public IP X.X.X.X.

               |
HOST_A---------|
  172.1.1.2    |          _____________
               |---------|ROUTER PUBLIC|-----------|INTERNET|-------------|CLIENT
               |         _______________                                      
               |   172.1.1.1       X.X.X.X
HOST_B---------|
     172.1.1.3 |

My public IP has restriction in port 22 so I'm using the port 1234. The router port-forwarding 1234 is enable and directed to HOST_A. Currently, I can access to HOST_B from client executing

$ ssh -p 1234 user@X.X.X.X

Howerver, I can not access to HOST_B and I don't understand how to use -R and -L option of ssh. I read and follow many examples in the web and I can not achieve HOST_B without login in HOST_A previously.

I appreaciate an explanation about TCP-forwarding because I'm not sure about if it is possible to login in HOST_B using the ip X.X.X.X without configuring HOST_A.

An instance of my search:
How to setup ssh tunnel to forward ssh?

Best Answer

I think the better you can do is open 2 ports on router and redirect them; one for host_a like you has done, and other, for example 1235, to host_b. So you can use

ssh -p 1234 user@X.X.X.X for host_a and

ssh -p 1235 user@X.X.X.X for host_b

Related Solutions

Ssh – Remote access to internal machine (ssh port-forwarding)

You need a NAT rule (to direct the traffic) and a regular firewall rule (to permit it).

The former will look something like

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4444 -j DNAT --to-destination 192.168.122.50:22

The latter will look something like

iptables -A FORWARD -i eth0 -p tcp --dport 4444 -j ACCEPT

It's up to you to make sure those come at the right point in your existing PREROUTING and FORWARD chains, and in addition you may need a second firewall rule to permit the back-half of those connections out, if you don't already have a general ACCEPT for ESTABLISHED packets.

Edit: the order of your rules is extremely important. The right rule in the wrong place will do no good. Could you replace the grep output above with the result of iptables -L -n -v and iptables -t nat -L -n -v? And if you want port 4444 to be forwarded, don't run a local sshd also bound to that port.

Edit 2: and there's your problem. The ACCEPT you've added in the FORWARD chain is line 7, but line 4 has already explicitly denied all not-previously-permitted traffic from everywhere (*) to virbr0. You need to make arrangments for the line you've added to come before line 4, perhaps by adding the rule with

iptables -I FORWARD 4 -i eth0 -p tcp --dport 4444 -j ACCEPT

which will insert it at line 4, displacing the current line 4 to be line 5 (and so on).

Regarding the current sshd, I mean what I said: that you shouldn't have a daemon bound to port 4444 if you're trying to forward that port. I don't care what other ports it's bound to, only that 4444 is a bad idea.

Edit 3: the machine you're testing this from, this is completely outside the serv05 system, yes? And (after a very trying day putting Fedora 16 on several boxes) I fear you may be right, could you put a comparable ACCEPT rule for 4444 in the INPUT chain as well, being careful to get it before any REJECTs?

ssh – How to Set Up Remote Port Forwarding on SSH Server with Putty

You don't want a remote/reverse forwarding, although with the local version (your first example) there would be little difference, except it needs configuration on the server. The option GatewayPorts=yes is for the ssh server, not for the ssh client.

Try on the server S

ssh -g -L 4444:22.22.22.5:5555 user@localhost

Best Answer

Related Solutions

Ssh – Remote access to internal machine (ssh port-forwarding)

ssh – How to Set Up Remote Port Forwarding on SSH Server with Putty

Related Topic