Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

Iptable Port Forwarding is not working for Host Only Network

Feb 29, 2016 1:00PM PST

Host OS Ubuntu with live(public) IP address 1.2.3.4 .

And a Ubuntu VM running in Virtual Box with Host Only and NAT network configuration. Configuration of both network cards are according to this link.

Now my VM have IP address 192.168.56.101.
I successfully SSH my VM from host. But when i move forward, I implement IPTables rule to forward traffic from host to VM. It is not working. I have enabled IP forwarding at host with #sysctl net.ipv4.ip_forward=1, and added #iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination 192.168.56.101:2222 to /etc/iptables/rules.v4.

Now when I ssh my VM from external network with IP address 3.3.3.3 with command #ssh vmusername@1.2.3.4 -p 2222, it stuck. No output. also No logs on my host 1.2.3.4 and VM. I have also added port 2222 in ssh config (/etc/ssh/sshd_config) of my VM.

Host IPTables rules (/etc/iptables/rules.v4)

xxxxx@xxxxx:~$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
UDP udp -- anywhere anywhere ctstate NEW
TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ICMP icmp -- anywhere anywhere ctstate NEW
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain ICMP (1 references)
target prot opt source destination

Chain TCP (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Chain UDP (1 references)
target prot opt source destination

Use Case: I have deployed SSH Honeypots in my VM. Any one who will try to SSH my Live IP 1.2.3.4 at port 2222, will be forwarded to SSH ********. In ******** VM all SSH sessions are logged. So in logs I need the real IP of attacker(3.3.3.3).

Discussion is locked

- Collapse -
Cross Posting required
Mar 1, 2016 11:38AM PST

I have also posted this on link you have mentioned above and also on some other forums. You have seen there is no reply so I am here. I think their is no rule that if we have no help on specific forum , we could not ask any where else! That would be great if you could help me here or there.

- Collapse -
It appears support is in the mailing lists.
Mar 1, 2016 11:54AM PST
- Collapse -
cross posting takes up resources
Mar 1, 2016 12:03PM PST

To explain why crossposting is frowned upon, cross posting is selfish and takes up resources that could be used to also help others. In other words, they want everyone to help them and not others. Most who help are volunteers and only have so much time to give. They want to help as many as they can.

It is one thing to ask elsewhere when not getting help but when you post the multiple posts the same day in multiple forums, then that is frown upon. You gotta give a forum a day or more to help since nobody lives in them. Once crossposting is found, a lot of helpers just won't bother to help anymore.