0

I want to access via SSH a DB server from an outside network via a linux (CentOS) gateway with two interfaces in separate networks as it follow below:

Admin PC IP: 10.21.1.8

Linux GW IP eth1 Outside: 10.21.1.199 - SSH Port 10051

Linux GW IP eth2 Inside: 10.10.4.151

DB Server IP: 10.10.4.51 - SSH Port 22

FLOW: 10.21.1.8 --> eth1:10.21.1.199:10051 --> eth2:10.10.4.151 --> 10.10.4.51:22

and the return path

10.10.4.51 --> eth2:10.10.4.151 --> 10.21.1.199 --> 10.21.1.8

The iptables rules that i tried seems to be wrong.. Something similar with :

iptables -t mangle -A PREROUTING -d <Server1_eth0> -p tcp --dport 2223 -j MARK --set-mark 1 -i eth0

iptables -t nat -A PREROUTING -p tcp -m mark --mark 1 -j DNAT --to-destination <Server2>:2222 -i eth0

iptables -t nat -A POSTROUTING -m mark  --mark 1 -j SNAT --to-source <Server1_eth1> -o eth1 

iptables -A FORWARD -m mark --mark 1 -j ACCEPT -o eth1

Need some hint..thx..

Jenny D
  • 27,358
  • 21
  • 74
  • 110
CatalinV
  • 1
  • 1
  • 1

2 Answers2

0

Depending on your needs and network configuration there are different solutions.

If your DB server 10.10.4.51 has a routing path towards the Admin PC 10.21.1.8, you just need this NAT rule on your gw:

iptables -t nat -A PREROUTING -i eth1 -s 10.21.1.8 -p tcp --dport 2222 -j DNAT --to 10.10.4.51:22

and then just ssh into the gw 10.21.1.199:2222 port.

If your DB server doesn't have a gateway to 10.21 network, with this NAT rule, you can "hide" the Admin PC address behind the gw IP:

iptables -t nat -A POSTROUTING -o eth2 -s 10.21.1.8 -p tcp -d 10.10.4.51 --dport 22 -j SNAT --to 10.10.4.151

If you have ssh access to both servers and all you want is just a terminal you may enter in the DB server by cascading ssh like this:

ssh -t -l gwuser -p 10051 10.21.1.199 ssh -l dbuser -p 22 10.10.4.51
nrc
  • 1,071
  • 8
  • 8
-1

iptables -A FORWARD -d $dst_ip -i eth2 -p tcp -m tcp --dport 10022 -j ACCEPT

iptables -t nat -A PREROUTING -d $src_ip -p tcp -m tcp --dport 10022 -j DNAT --to-destination $dst_ip

iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

And.. solved thx.

CatalinV
  • 1