Your first iptables
rule is correct and sufficient to do the job. I'd consider explicitly specifying an incoming interface such as:
iptables -t nat -A PREROUTING -i ${wan_if} -d ${jumper_ip} -p tcp --dport 22 -j DNAT --to-destination ${invisibleserver_ip}
But this is not required. Your POSTROUTING
rule is a bit flawed. I don't think it is going to break anything. But it's better to remove it. It's applicable when the client is running on port 22, which is not the case of SSH.
The FORWARD
rule is entirely redundant, unless you have made other changes, which you haven't told us about. The default policy is ACCEPT
. A single rule with ACCEPT
and a default policy of ACCEPT
will result in all packets being accepted regardless of whether the packet matches the criteria. So you can simply remove that rule and rely on the default ACCEPT
policy.
None of this explains what is causing the problem. The reasons for that are twofold. You haven't explained what problem you are seeing, and you haven't mentioned all the relevant details of your configuration in order to pinpoint the real reason.
I can however come up with a few likely guesses:
- You have not enabled forwarding of packets.
- Your routing is configured in such a way that only packets in one direction go through your jump server.
- The packets are being dropped by other rules, which you omitted from your question.
First verify that forwarding is enabled by typing:
cat /proc/sys/net/ipv4/ip_forward
If it is disabled you can enable it by typing:
echo 1 >/proc/sys/net/ipv4/ip_forward
And if this solves the problem you can make it permanent by updating /etc/sysctl.conf
.
If your routing is configured such that return packets are not routed through your jump host, you can add a SNAT
rule to your POSTROUTING
chain which need to apply to the same SYN packets which were just handled by your DNAT
rule.
If you want to know about potential drawbacks to using DNAT
for this, and some alternatives. I have answered a similar question in the past.
If the problem is caused by additional iptables rules, which you did not mention in your question, you need to remove or fix those rules. Obviously I cannot provide anymore details about that without knowing the contents and purpose of those rules - if any.