Hi,
i see 2 basic ways howto go about this
firstly,
yes, you can solve this by port-forwarding on the iptables level on the
host machine.
Unfortunately, i dont use firewalld, i use only iptables, so can't say
if your config is right or not.
But basically if the forwarding firewall rule works, then after you issue:
ssh user@IP-of-host-machine -p portnumber-that-is-forwarded
then you are immediately redirected at guest machine and you should get
pw prompt from guest - if not, something is wrong - probably on firewall.
secondly,
you can use ssh tunnel and tunnel your ssh session through your host to
your guest very quickly
from your laptop (this assumes both sshd daemons on guest and host use
22 port)
ssh -L 22222:IP-of-guest-virt-machine:22 user@IP-of-host-machine
this establishes the ssh tunnel
next goes:
ssh user@localhost -p 22222
you should get the pw prompt from guest machine
check, if your host machine forwards packets in /etc/sysctl.conf
net.ipv4.ip_forward = 1
cheers,
--
*Karel Lang*
*Unix/Linux Administration*
[log in to unmask] | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz
On 04/28/2016 09:59 AM, Benjamin Lefoul wrote:
> Hi!
>
> I have a KVM guest called "streeling" running on physicalhost "trantor".
> I can easily ssh to "trantor", and from there ssh to "streeling", put I
> cannot seem to be able to set the port forward properly to ssh directly
> to "streeling" ("Connection refused"). This should be simple enough to
> follow through:
>
> seldon@anacreon:~ $ head .ssh/config
> Host streeling
> Hostname 10.0.75.192
> Port 4077
> User root
>
> Host trantor
> Hostname 10.0.75.192
> ForwardX11=yes
> User seldon
> seldon@anacreon:~ $ ssh streeling
> ssh: connect to host 10.0.75.192 port 4077: Connection refused
> seldon@anacreon:~ $ ssh trantor
> Last login: Thu Apr 28 09:31:52 2016 from 10.0.75.177
> seldon@trantor:~ $ sudo virsh list
> Id Name State
> ----------------------------------------------------
> 2 streeling running
> 3 mycogen running
> 4 dahl running
>
> seldon@trantor:~ $ ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: enp4s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
> link/ether 6c:62:6d:6a:ab:fc brd ff:ff:ff:ff:ff:ff
> inet 10.0.75.192/24 brd 10.0.75.255 scope global enp4s1
> valid_lft forever preferred_lft forever
> inet6 fe80::6e62:6dff:fe6a:abfc/64 scope link
> valid_lft forever preferred_lft forever
> 3: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
> link/ether 52:54:00:0d:4a:73 brd ff:ff:ff:ff:ff:ff
> inet 192.168.128.1/24 brd 192.168.128.255 scope global virbr1
> valid_lft forever preferred_lft forever
> 4: virbr1-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master
> virbr1 state DOWN qlen 500
> link/ether 52:54:00:0d:4a:73 brd ff:ff:ff:ff:ff:ff
> 5: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> master virbr1 state UNKNOWN qlen 500
> link/ether fe:54:00:89:ac:bc brd ff:ff:ff:ff:ff:ff
> inet6 fe80::fc54:ff:fe89:acbc/64 scope link
> valid_lft forever preferred_lft forever
> seldon@trantor:~ $ getenforce
> Enforcing
> seldon@trantor:~ $ sudo grep "Port" /etc/ssh/sshd_config
> Port 22
> Port 4077
> seldon@trantor:~ $ sudo semanage port -l | grep ssh
> ssh_port_t tcp 4077, 22
> seldon@trantor:~ $ cat /proc/sys/net/ipv4/ip_forward
> 1
> seldon@trantor:~ $ head -4 .ssh/config
> Host streeling
> Hostname 192.168.128.128
> User root
>
> seldon@trantor:~ $ sudo firewall-cmd --list-all
> public (default, active)
> interfaces: enp4s1
> sources:
> services: ssh
> ports: 4077/tcp
> masquerade: yes
> forward-ports: port=4077:proto=tcp:toport=22:toaddr=192.168.128.128
> icmp-blocks:
> rich rules:
>
> seldon@trantor:~ $ ssh streeling
> Last login: Thu Apr 28 09:10:57 2016 from 192.168.128.1
> root@streeling:~ # ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
> UP group default qlen 1000
> link/ether 52:54:00:89:ac:bc brd ff:ff:ff:ff:ff:ff
> inet 192.168.128.128/24 brd 192.168.128.255 scope global ens3
> valid_lft forever preferred_lft forever
> inet6 fe80::5054:ff:fe89:acbc/64 scope link
> valid_lft forever preferred_lft forever
>
> What should I do?
>
>
> Regards,
>
>
> Benjamin Lefoul
>
|