Configuring iptables to port forward ssh connection to a server

Question

I have a network topology that looks like so:

Internet--------------------Firewall-------------------------Server

0.0.0.0/0-----172.8.45.140 & 192.168.1.1-----192.168.1.2

I need to configure the Firewall using iptables to port forward incoming ssh connections from my remote client (on the Internet) to the server (on 192.168.1.2). Essentially executing ssh [email protected] on the client to remote into the server on 192.168.1.2.

The Firewall has two NICs to communicate:

172.8.45.140 (public) is on interface ens33

192.168.1.1 (private) is on interface ens37

The Server has the private IP of 192.168.1.2 and has been configured to use port for 54045 for SSH, not the default 22.

Iptables on the Firewall has been configured that both chains INPUT and FORWARD have been changed to the policy DROP, the chain OUTPUT still has the default policy ACCEPT.

Chain INPUT (policy DROP)

target     prot opt source               destination         

Chain FORWARD (policy DROP)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

I have seen some guides online detailing how to port forward web requests to a web server behind a firewall, see:

https://www.systutorials.com/port-forwarding-using-iptables/

https://www.digitalocean.com/community/tutorials/how-to-forward-ports-through-a-linux-gateway-with-iptables

https://wikileaks.org/ciav7p1/cms/page_16384684.html

Following these tutorials I have enabled port forwarding on the Firewall via the /etc/sysctl.conf file and tried the following rules:

1st Attempt

INPUT and FORWARD policy DROP, OUTPUT policy ACCEPT.

sudo iptables -A PREROUTING -t nat -i ens33 -p tcp --dport 22 -j DNAT --to 192.168.1.2:54045

sudo iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 54045 -j ACCEPT

Result: SSH operation timed out. Also tired INPUT and FORWARD policy ACCEPT still operation timed out.

2nd Attempt

INPUT and FORWARD policy DROP, OUTPUT policy ACCEPT.

sudo iptables -A FORWARD -i ens33 -o ens37 -p tcp --syn --dport 22 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -i ens33 -o ens37 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -i ens37 -o ens33 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

sudo iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 54045 -j DNAT --to-destination 192.168.1.2

sudo iptables -t nat -A POSTROUTING -o ens37 -p tcp -d 192.168.1.2 -j SNAT --to-source 192.168.1.1

Result: SSH operation timed out. Also tired INPUT and FORWARD policy ACCEPT connection refused.

3rd Attempt

INPUT, FORWARD and OUTPUT policy ACCEPT.

sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 192.168.1.2:54045

sudo iptables -t nat -A POSTROUTING -j MASQUERADE

Result: This did work but only when the chain FORWARD had its policy on ACCEPT. This is the only time I got a connection through the firewall. When I changed the chain FORWARD to DROP the SSH connection would time out again.

My guess it is something to with it being masqueraded or that FORWARD policy DROP has something to do with it.

My question is what am I overlooking? It’s probably something I’ve missed all this time that is staring me in the face. Please be kind and thank you for your help.

Answer 1

Assuming you are relying on the rules in the second attempt, --dport 22 is wrong. After the DNAT / leaving the PREROUTING chain, you need to instead allow traffics to the actual/new destination port, that is 54045, in the FORWARD chain.

P.S. Both -j MASQUERADE and -o ens37 -j SNAT --to-source 192.168.1.1 should work fine, and the latter is preferred if the firewall has static IP. Also, if 192.168.1.1 is the default gateway of 192.168.1.2, you shouldn't even need to use either of them.