LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

April 2016

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS April 2016

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: SSH port forward with firewalld
From:	Benjamin Lefoul <[log in to unmask]>
Reply To:	Benjamin Lefoul <[log in to unmask]>
Date:	Thu, 28 Apr 2016 15:44:30 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (83 lines)

Thanks for your help everyone.
I have solved the original problem: it was not firewalld, sshd, or the sysctl.
It was the virtual network associated to bridge virbr1 (here called "hyperspace") that was not properly configured.
This is what solved everything:

seldon@trantor:~ $ sudo virsh net-edit hyperspace

And replace this line:

<forward mode='nat'/>

With this one:

<forward dev='enp4s1' mode='route'><interface dev='enp4s1'/></forward>

Regards,

Benjamin Lefoul
________________________________________
From: Nico Kadel-Garcia <[log in to unmask]>
Sent: 28 April 2016 13:49:11
To: Karel Lang AFD
Cc: Benjamin Lefoul; [log in to unmask]
Subject: Re: SSH port forward with firewalld

On Thu, Apr 28, 2016 at 7:30 AM, Karel Lang AFD <[log in to unmask]> wrote:
> Hi,
>
> i see 2 basic ways howto go about this
>
> firstly,
> yes, you can solve this by port-forwarding on the iptables level on the host
> machine.
> Unfortunately, i dont use firewalld, i use only iptables, so can't say if
> your config is right or not.
>
> But basically if the forwarding firewall rule works, then after you issue:
>
> ssh user@IP-of-host-machine -p portnumber-that-is-forwarded
>
> then you are immediately redirected at guest machine and you should get pw
> prompt from guest - if not, something is wrong - probably on firewall.

A lot of complex port forwarding solutions can be avoided by simply
using "socat", or using "inetd" to do port forwarding and staying out
of the firewall rules. Not that SSH port forwarding isn't extremely
useful. But if you don't actually need to protect the port forwarding
from man-in-the-middle attacks, it can be much faster. I use those to
expose SSL ports, such as 8443 for Tomcat or Jenkins servers which do
not run as root, to lower numbered ports that require system
privileges, such as port 443.

* http://serverfault.com/questions/252150/port-forwarding-on-linux-without-iptables

> secondly,
> you can use ssh tunnel and tunnel your ssh session through your host to your
> guest very quickly
>
> from your laptop (this assumes both sshd daemons on guest and host use 22
> port)
>
> ssh -L 22222:IP-of-guest-virt-machine:22  user@IP-of-host-machine
>
> this establishes the ssh tunnel
>
> next goes:
> ssh user@localhost -p 22222
>
> you should get the pw prompt from guest machine
>
> check, if your host machine forwards packets in /etc/sysctl.conf
> net.ipv4.ip_forward = 1
>
>
> cheers,

This looks right. I also admit that I've taken to avoiding
host-specific firewall configurations because many of the tools to
manipulate firewalls overwrite or conflict with each other and wind up
completely screwing up the overall configuration.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV