VPC SSH port forward into private subnet
- by CP510
Ok, so I've been racking my brain for DAYS on this dilema. I have a VPC setup with a public subnet, and a private subnet. The NAT is in place of course. I can connect from SSH into a instance in the public subnet, as well as the NAT. I can even ssh connect to the private instance from the public instance. I changed the SSHD configuration on the private instance to accept both port 22 and an arbitrary port number 1300. That works fine.
But I need to set it up so that I can connect to the private instance directly using the 1300 port number, ie.
ssh -i keyfile.pem [email protected] -p 1300
and 1.2.3.4 should route it to the internal server 10.10.10.10.
Now I heard iptables is the job for this, so I went ahead and researched and played around with some routing with that. These are the rules I have setup on the public instance (not the NAT). I didn't want to use the NAT for this since AWS apperantly pre-configures the NAT instances when you set them up and I heard using iptables can mess that up.
*filter
:INPUT ACCEPT [129:12186]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [84:10472]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 1300 -j ACCEPT
-A INPUT -d 10.10.10.10/32 -p tcp -m limit --limit 5/min -j LOG --log-prefix "SSH Dropped: "
-A FORWARD -d 10.10.10.10/32 -p tcp -m tcp --dport 1300 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Wed Apr 17 04:19:29 2013
# Generated by iptables-save v1.4.12 on Wed Apr 17 04:19:29 2013
*nat
:PREROUTING ACCEPT [2:104]
:INPUT ACCEPT [2:104]
:OUTPUT ACCEPT [6:681]
:POSTROUTING ACCEPT [7:745]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1300 -j DNAT --to-destination 10.10.10.10:1300
-A POSTROUTING -p tcp -m tcp --dport 1300 -j MASQUERADE
COMMIT
So when I try this from home. It just times out. No connection refused messages or anything. And I can't seem to find any log messages about dropped packets.
My security groups and ACL settings allow communications on these ports in both directions in both subnets and on the NAT. I'm at a loss. What am I doing wrong?