SCIENTIFIC-LINUX-USERS Archives

April 2016

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: SSH port forward with firewalld
From:
Karel Lang AFD <[log in to unmask]>
Reply To:
Karel Lang AFD <[log in to unmask]>
Date:
Thu, 28 Apr 2016 13:30:09 +0200
Content-Type:
text/plain
Parts/Attachments:
text/plain (156 lines) 
Hi,

i see 2 basic ways howto go about this

firstly,
yes, you can solve this by port-forwarding on the iptables level on the 
host machine.
Unfortunately, i dont use firewalld, i use only iptables, so can't say 
if your config is right or not.

But basically if the forwarding firewall rule works, then after you issue:

ssh user@IP-of-host-machine -p portnumber-that-is-forwarded

then you are immediately redirected at guest machine and you should get 
pw prompt from guest - if not, something is wrong - probably on firewall.



secondly,
you can use ssh tunnel and tunnel your ssh session through your host to 
your guest very quickly

from your laptop (this assumes both sshd daemons on guest and host use 
22 port)

ssh -L 22222:IP-of-guest-virt-machine:22  user@IP-of-host-machine

this establishes the ssh tunnel

next goes:
ssh user@localhost -p 22222

you should get the pw prompt from guest machine

check, if your host machine forwards packets in /etc/sysctl.conf
net.ipv4.ip_forward = 1


cheers,


-- 
*Karel Lang*
*Unix/Linux Administration*
[log in to unmask] | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz

On 04/28/2016 09:59 AM, Benjamin Lefoul wrote:
> Hi!
>
> I have a KVM guest called "streeling" running on physicalhost "trantor".
> I can easily ssh to "trantor", and from there ssh to "streeling", put I
> cannot seem to be able to set the port forward properly to ssh directly
> to "streeling" ("Connection refused"). This should be simple enough to
> follow through:
>
> seldon@anacreon:~ $ head .ssh/config
> Host streeling
>      Hostname 10.0.75.192
>      Port 4077
>      User root
>
> Host trantor
>      Hostname 10.0.75.192
>      ForwardX11=yes
>      User seldon
> seldon@anacreon:~ $ ssh streeling
> ssh: connect to host 10.0.75.192 port 4077: Connection refused
> seldon@anacreon:~ $ ssh trantor
> Last login: Thu Apr 28 09:31:52 2016 from 10.0.75.177
> seldon@trantor:~ $ sudo virsh list
>   Id    Name                           State
> ----------------------------------------------------
>   2     streeling                      running
>   3     mycogen                        running
>   4     dahl                           running
>
> seldon@trantor:~ $ ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 scope host lo
>         valid_lft forever preferred_lft forever
>      inet6 ::1/128 scope host
>         valid_lft forever preferred_lft forever
> 2: enp4s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>      link/ether 6c:62:6d:6a:ab:fc brd ff:ff:ff:ff:ff:ff
>      inet 10.0.75.192/24 brd 10.0.75.255 scope global enp4s1
>         valid_lft forever preferred_lft forever
>      inet6 fe80::6e62:6dff:fe6a:abfc/64 scope link
>         valid_lft forever preferred_lft forever
> 3: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
>      link/ether 52:54:00:0d:4a:73 brd ff:ff:ff:ff:ff:ff
>      inet 192.168.128.1/24 brd 192.168.128.255 scope global virbr1
>         valid_lft forever preferred_lft forever
> 4: virbr1-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master
> virbr1 state DOWN qlen 500
>      link/ether 52:54:00:0d:4a:73 brd ff:ff:ff:ff:ff:ff
> 5: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> master virbr1 state UNKNOWN qlen 500
>      link/ether fe:54:00:89:ac:bc brd ff:ff:ff:ff:ff:ff
>      inet6 fe80::fc54:ff:fe89:acbc/64 scope link
>         valid_lft forever preferred_lft forever
> seldon@trantor:~ $ getenforce
> Enforcing
> seldon@trantor:~ $ sudo grep "Port" /etc/ssh/sshd_config
> Port 22
> Port 4077
> seldon@trantor:~ $ sudo semanage port -l | grep ssh
> ssh_port_t                     tcp      4077, 22
> seldon@trantor:~ $ cat /proc/sys/net/ipv4/ip_forward
> 1
> seldon@trantor:~ $ head -4 .ssh/config
> Host streeling
>      Hostname 192.168.128.128
>      User root
>
> seldon@trantor:~ $ sudo firewall-cmd --list-all
> public (default, active)
>    interfaces: enp4s1
>    sources:
>    services: ssh
>    ports: 4077/tcp
>    masquerade: yes
>    forward-ports: port=4077:proto=tcp:toport=22:toaddr=192.168.128.128
>    icmp-blocks:
>    rich rules:
>
> seldon@trantor:~ $ ssh streeling
> Last login: Thu Apr 28 09:10:57 2016 from 192.168.128.1
> root@streeling:~ # ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 scope host lo
>         valid_lft forever preferred_lft forever
>      inet6 ::1/128 scope host
>         valid_lft forever preferred_lft forever
> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
> UP group default qlen 1000
>      link/ether 52:54:00:89:ac:bc brd ff:ff:ff:ff:ff:ff
>      inet 192.168.128.128/24 brd 192.168.128.255 scope global ens3
>         valid_lft forever preferred_lft forever
>      inet6 fe80::5054:ff:fe89:acbc/64 scope link
>         valid_lft forever preferred_lft forever
>
> What should I do?
>
>
> Regards,
>
>
> Benjamin Lefoul
>

ATOM RSS1 RSS2