iptables (NAT/PAT) setup for SSH & Samba
- by IanVaughan
I need to access a Linux box via SSH & Samba that is hidden/connected behind another one.
Setup :-
A switch B C
|----| |---| |----| |----|
|eth0|----| |----|eth0| | |
|----| |---| |eth1|----|eth1|
|----| |----|
Eg, SSH/Samba from A to C
How does one go about this?
I was thinking that it cannot be done via IP alone? Or can it?
Could B say "hi on eth0, if your looking for 192.168.0.2, its here on eth1"?
Is this NAT?
This is a large private network, so what about if another PC has that IP?!
More likely it would be PAT?
A would say "hi 192.168.109.15:1234"
B would say "hi on eth0, traffic for port 1234 goes on here eth1"
How could that be done?
And would the SSH/Samba demons see the correct packet header info and work??
IP info :-
A - eth0 - 192.168.109.2
B - eth0 - B1 = 192.168.109.15 B2 = 172.24.40.130
- eth1 - 192.168.0.1
C - eth1 - 192.168.0.2
A, B & C are RHEL (RedHat)
But Windows computers can be connected to the switch.
I configured the 192.168.0.* IPs, they are changeable.
Update after response from Eddie
Few problems (and Machines' B IP is different!)
From A :-
ssh 172.24.40.130 works ok, (can get to B2)
but ssh 172.24.40.130 -p 2022 -vv times out with :-
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 172.24.40.130 [172.24.40.130] port 2022.
...wait ages...
debug1: connect to address 172.24.40.130 port 2022: Connection timed out
ssh: connect to host 172.24.40.130 port 2022: Connection timed out
From B2 :-
$ service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpt:22
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2022 to:192.168.0.2:22
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
And ssh from B2 to C works fine :-
$ ssh 192.168.0.2
Route info :-
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
172.24.40.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default 172.24.40.1 0.0.0.0 UG 0 0 0 eth0
$ ip route
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1
172.24.40.0/24 dev eth0 proto kernel scope link src 172.24.40.130
169.254.0.0/16 dev eth1 scope link
default via 172.24.40.1 dev eth0
So I just dont know why the port forward doesnt work from A to B2?
