On Thu, Apr 28, 2016 at 7:30 AM, Karel Lang AFD <l...@afd.cz> wrote: > Hi, > > i see 2 basic ways howto go about this > > firstly, > yes, you can solve this by port-forwarding on the iptables level on the host > machine. > Unfortunately, i dont use firewalld, i use only iptables, so can't say if > your config is right or not. > > But basically if the forwarding firewall rule works, then after you issue: > > ssh user@IP-of-host-machine -p portnumber-that-is-forwarded > > then you are immediately redirected at guest machine and you should get pw > prompt from guest - if not, something is wrong - probably on firewall.
A lot of complex port forwarding solutions can be avoided by simply using "socat", or using "inetd" to do port forwarding and staying out of the firewall rules. Not that SSH port forwarding isn't extremely useful. But if you don't actually need to protect the port forwarding from man-in-the-middle attacks, it can be much faster. I use those to expose SSL ports, such as 8443 for Tomcat or Jenkins servers which do not run as root, to lower numbered ports that require system privileges, such as port 443. * http://serverfault.com/questions/252150/port-forwarding-on-linux-without-iptables > secondly, > you can use ssh tunnel and tunnel your ssh session through your host to your > guest very quickly > > from your laptop (this assumes both sshd daemons on guest and host use 22 > port) > > ssh -L 22222:IP-of-guest-virt-machine:22 user@IP-of-host-machine > > this establishes the ssh tunnel > > next goes: > ssh user@localhost -p 22222 > > you should get the pw prompt from guest machine > > check, if your host machine forwards packets in /etc/sysctl.conf > net.ipv4.ip_forward = 1 > > > cheers, This looks right. I also admit that I've taken to avoiding host-specific firewall configurations because many of the tools to manipulate firewalls overwrite or conflict with each other and wind up completely screwing up the overall configuration.
