Use iptables to forward ssh

Question

i found several tutorials on how to do it, but got none of them to work :/

My setup:

FIREWALL - reachable from the internet - eth0: xxx.xxx.xxx.xxx (public ip) - eth1: 192.168.1.1

SERVER - reachable from FIREWALL - eth0: 192.168.1.5

Because I still want to be able to connect to the firewall on port 22, I would like to forward incoming connections on port 2222 to 192.168.1.5:22.

ping and ssh from FIREWALL to SERVER works. ping and ssh from SERVER to FIREWALL works as well (although login is only allowed with public key and the SERVER is not allowed...)

ping and ssh from anywhere to FIREWALL works.

IP forwarding is enabled:

# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

Posting my iptables-rules does not make much sense because none of the rules worked (used PREROUTING, POSTROUTING, FORWARD...) and there are no other rules.

Yes, my firewall does not block anything. But this is not about security (yet).

I tried everything I found on the first to pages of: https://www.google.de/search?q=iptables+forward+ssh

Any suggestions?

Regards, Jens

UPDATE Here's the output of tcpdump -n -i any after using Khaled's iptables command:

15:42:33.852718 IP home-ip.56008 > firewall-public-ip.2222: Flags [S], seq 1141341765, win 14600, options [mss 1460,sackOK,TS val 871214 ecr 0,nop,wscale 7], length 0
15:42:33.852752 IP home-ip.56008 > 192.168.1.5.22: Flags [S], seq 1141341765, win 14600, options [mss 1460,sackOK,TS val 871214 ecr 0,nop,wscale 7], length 0

I would have guessed that in the second line there would be something like ... IP 192.168.1.1.45678 > 192.168.1.5.22 ...

These two lines repeat a few times as my ssh-client tries multiple times to connect. But there is not any answer.

2nd Update The routes of the server (192.168.1.5) are here. I just added a route

public-firewall-ip  255.255.255.255      192.168.1.1     192.168.1.5       1

but this has no effect. On the server runs Win XP with cygwin's sshd installed. I did not mention this before because ssh from the firewall to the server works just fine. But when it comes to routing I feel Windows is somewhat limited.

Now I'm installing Wireshark on the server and will paste the result in a few miniutes.

Trace on server The trace on the server shows an arriving SYN on port 22 and a leaving SYN,ACK to my home-ip. I think there is the error. The ACK should be sent to the firewall than be masqueraded because in the leaving package the source IP/Port now is 192.168.1.5:22. No way this reaches my laptop at home behind a NAT... or is there a way?

Answer 1

If you are allowing the traffic to pass through your firewall and have IP forwarding enabled, you just need one NAT rule to forward SSH traffic on port 2222. A one like this should do the work:

$ iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 2222 -j DNAT --to-destination 192.168.1.5:22

Update:

Network sniffer is your friend when debugging such problems. You can run tcpdump on the firewall machine and see if you can catch the request coming and the same request should leave the firewall machine.