I have an ubuntu server which is visible from internet, let's call it "jumper". And this server has this name actually because I need that whenever an user SSH this server, it jumps (or forward or redirect) the SSH connection to another server (which isn't visible from internet) so the SSH is actually to the invisible server. Also I need to do this exactly with iptables.

What i've tried (on jumper)

iptables -t nat -A PREROUTING -d ${jumper_ip} -p tcp --dport 22 -j DNAT --to-destination ${invisibleserver_ip}
iptables -t nat -A POSTROUTING -s ${invisibleserver_ip} -p tcp --sport 22 -j SNAT --to-source ${jumper_ip}
iptables -A FORWARD -p tcp ${invisibleserver_ip} --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Yes, IP forwarding is enabled on Kernel.

The problem

That when I SSH the jumper host, nothing happens. "Conection timed out" comes out. Any idea?
Thank you all for your answers.

  • 31
  • 3

1 Answers1


Your first iptables rule is correct and sufficient to do the job. I'd consider explicitly specifying an incoming interface such as:

iptables -t nat -A PREROUTING -i ${wan_if} -d ${jumper_ip} -p tcp --dport 22 -j DNAT --to-destination ${invisibleserver_ip}

But this is not required. Your POSTROUTING rule is a bit flawed. I don't think it is going to break anything. But it's better to remove it. It's applicable when the client is running on port 22, which is not the case of SSH.

The FORWARD rule is entirely redundant, unless you have made other changes, which you haven't told us about. The default policy is ACCEPT. A single rule with ACCEPT and a default policy of ACCEPT will result in all packets being accepted regardless of whether the packet matches the criteria. So you can simply remove that rule and rely on the default ACCEPT policy.

None of this explains what is causing the problem. The reasons for that are twofold. You haven't explained what problem you are seeing, and you haven't mentioned all the relevant details of your configuration in order to pinpoint the real reason.

I can however come up with a few likely guesses:

  • You have not enabled forwarding of packets.
  • Your routing is configured in such a way that only packets in one direction go through your jump server.
  • The packets are being dropped by other rules, which you omitted from your question.

First verify that forwarding is enabled by typing:

cat /proc/sys/net/ipv4/ip_forward

If it is disabled you can enable it by typing:

echo 1 >/proc/sys/net/ipv4/ip_forward

And if this solves the problem you can make it permanent by updating /etc/sysctl.conf.

If your routing is configured such that return packets are not routed through your jump host, you can add a SNAT rule to your POSTROUTING chain which need to apply to the same SYN packets which were just handled by your DNAT rule.

If you want to know about potential drawbacks to using DNAT for this, and some alternatives. I have answered a similar question in the past.

If the problem is caused by additional iptables rules, which you did not mention in your question, you need to remove or fix those rules. Obviously I cannot provide anymore details about that without knowing the contents and purpose of those rules - if any.

  • 29,894
  • 16
  • 72
  • 122
  • You're right, I hadn't exposed the problem, now edited. At the end of the question, I mentioned that ip forwarding was enabled, even in /etc/sysctl.conf. The only rules on the iptables are the ones I posted in the question. Thanks for your help! – sant016 Apr 29 '16 at 15:29
  • @sant016 If everything else fails. Use `tcpdump` to see how far the SYN and SYN-ACK packets gets before being dropped. – kasperd Apr 29 '16 at 15:31
  • Did all you told me and still failing. Question: should 22 port be on `/etc/ssh/sshd_config`? Because I enabled port 2222 only for ssh and disbled port 22. By the way, not sure how to use `tcpdump`... Thanks again! – sant016 Apr 29 '16 at 16:30
  • To forward the packets to a different port than the one specifiyed using `--dport`, you need to use `--to-destination ${invisibleserver_ip}:{invisibleserver_ssh_port}`. Here is the iptables rule proposed by kasperd slightly modifyed: `iptables -t nat -A PREROUTING -i ${wan_if} -d ${jumper_ip} -p tcp --dport 22 -j DNAT --to-destination ${invisibleserver_ip}:2222`. – rda Apr 30 '16 at 14:22
  • What I mean is this: If I want to SSH jumper, then I must use port 2222. If I SSH jumper via port 22, then it must redirect to the invisible server. – sant016 May 02 '16 at 19:26