SSH para a máquina virtual VMware com rede NAT [duplicada]

9

agora eu posso ssh hospedar pela Internet e ssh do host para a máquina virtual. O que eu quero fazer é ssh diretamente para a máquina convidada de fora.

Eu tentei fazer isso usando iptables :

iptables -t nat -A PREROUTING -m tcp -p tcp --dport 2222 -j DNAT --to-destination 192.168.130.128:22

E também abriu as portas relacionadas em UFW :

ufw allow routed
ufw allow outgoing
ufw deny incoming
ufw allow 2222/tcp

Depois de recarregar os firewalls, o ssh remoto congelará em debug1: Connecting to x.x.x.x [x.x.x.x] port 2222 e, usando tcpdump -i vmnet8 'port 22' , será possível ver isso:

listening on vmnet8, link-type EN10MB (Ethernet), capture size 65535 bytes
18:56:03.002790 IP x.x.x.x.13203 > y.y.y.y.ssh: Flags [S], seq 1077492285, win 29200, options [mss 1260,sackOK,TS val 1388564 ecr 0,nop,wscale 7], length 0
18:56:03.003235 IP y.y.y.y.ssh > x.x.x.x.13203: Flags [S.], seq 3535035554, ack 1077492286, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 307333897 ecr 1388564,sackOK,eol], length 0
18:56:03.003290 IP x.x.x.x.13203 > y.y.y.y.ssh: Flags [R], seq 1077492286, win 32767, length 0
18:56:03.996287 IP x.x.x.x.13203 > y.y.y.y.ssh: Flags [S], seq 1077492285, win 29200, options [mss 1260,sackOK,TS val 1388664 ecr 0,nop,wscale 7], length 0
18:56:03.996770 IP y.y.y.y.ssh > x.x.x.x.13203: Flags [S.], seq 1749343118, ack 1077492286, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 307334888 ecr 1388664,sackOK,eol], length 0
18:56:03.996841 IP x.x.x.x.13203 > y.y.y.y.ssh: Flags [R], seq 1077492286, win 32767, length 0
18:56:05.997104 IP x.x.x.x.13203 > y.y.y.y.ssh: Flags [S], seq 1077492285, win 29200, options [mss 1260,sackOK,TS val 1388864 ecr 0,nop,wscale 7], length 0
18:56:06.001310 IP y.y.y.y.ssh > x.x.x.x.13203: Flags [S.], seq 3571006762, ack 1077492286, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 307336889 ecr 1388864,sackOK,eol], length 0
18:56:06.001344 IP x.x.x.x.13203 > y.y.y.y.ssh: Flags [R], seq 1077492286, win 32767, length 0
18:56:10.006741 IP x.x.x.x.13203 > y.y.y.y.ssh: Flags [S], seq 1077492285, win 29200, options [mss 1260,sackOK,TS val 1389265 ecr 0,nop,wscale 7], length 0
18:56:10.007142 IP y.y.y.y.ssh > x.x.x.x.13203: Flags [S.], seq 1524745855, ack 1077492286, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 307340890 ecr 1389265,sackOK,eol], length 0
18:56:10.007217 IP x.x.x.x.13203 > y.y.y.y.ssh: Flags [R], seq 1077492286, win 32767, length 0

tcpdump no meu convidado MacOS resultará o mesmo.

  • HOST: Ubuntu 14.04
  • CONVIDADO: mac os mavericks
  • plataforma de virtualização: workstation Vmware 11

Atualização:

Esta é a mensagem ufw log (log alto):

Jun 21 09:47:44 srv05-crawler kernel: [518567.737815] [UFW AUDIT] IN=eth0 OUT=vmnet8 MAC=00:25:90:ef:aa:a0:00:24:c4:c0:d3:40:08:00 SRC=x.x.x.x DST=192.168.130.128 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=15454 DF PROTO=TCP SPT=20039 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 
Jun 21 09:47:44 srv05-crawler kernel: [518567.737828] [UFW ALLOW] IN=eth0 OUT=vmnet8 MAC=00:25:90:ef:aa:a0:00:24:c4:c0:d3:40:08:00 SRC=x.x.x.x DST=192.168.130.128 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=15454 DF PROTO=TCP SPT=20039 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 
Jun 21 09:47:45 srv05-crawler kernel: [518568.733572] [UFW AUDIT] IN=eth0 OUT=vmnet8 MAC=00:25:90:ef:aa:a0:00:24:c4:c0:d3:40:08:00 SRC=x.x.x.x DST=192.168.130.128 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=15455 DF PROTO=TCP SPT=20039 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 
Jun 21 09:47:45 srv05-crawler kernel: [518568.733592] [UFW ALLOW] IN=eth0 OUT=vmnet8 MAC=00:25:90:ef:aa:a0:00:24:c4:c0:d3:40:08:00 SRC=x.x.x.x DST=192.168.130.128 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=15455 DF PROTO=TCP SPT=20039 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0a

E eu usei esses comandos para obter registros de pacotes descartados:

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPT Drops: " --log-level 4
iptables -A LOGGING -j DROP

Mas não consegui rastrear nenhum pacote dropped .

Atualização 2:

config do iptables como alguns amigos pediram:

# Generated by iptables-save v1.4.21 on Sun Jun 21 16:46:49 2015
*nat
:PREROUTING ACCEPT [1363:113716]
:INPUT ACCEPT [39:2210]
:OUTPUT ACCEPT [3135:202553]
:POSTROUTING ACCEPT [3146:203213]
-A PREROUTING -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.130.128:22
COMMIT
# Completed on Sun Jun 21 16:46:49 2015
# Generated by iptables-save v1.4.21 on Sun Jun 21 16:46:49 2015
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
:fail2ban-ssh - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m tcp --dport 22022 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A INPUT -j LOGGING
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPtables dropped: "
-A LOGGING -j DROP
-A fail2ban-ssh -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j ACCEPT
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-forward -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22022 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 2222 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Sun Jun 21 16:46:49 2015

e ufw status numbered :

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22022/tcp                  ALLOW IN    Anywhere
[ 2] 2222/tcp                   ALLOW IN    Anywhere
    
por Shahinism 20.06.2015 / 16:30

1 resposta

5

- > Ir para a atualização

Como mencionado no man ufw encontrado aqui I mudaria a aparência da regra 4 para vir antes da regra 3.

Rule ordering is important and the first match wins. Therefore when adding rules, add the more specific rules first with more general rules later.

Primeiro, permita que o incomming tcp 2222 seja encaminhado para 192.168.130.128:22
Então negue todas as entradas.

Não sei se é importante, mas na página man a regra de roteamento parece

ufw route allow 2222/tcp to 192.168.130.128 port 22

Atualizar

Versão curta

Você disse a iptables para adicionar uma regra de PREROUTING ao seu nat table . A parte que falta é:

#---------------------------------------------------------------
# After DNAT, the packets are routed via the filter table's
# FORWARD chain.
# Connections on port 22 to the target machine on the private
# network must be allowed.
#---------------------------------------------------------------
# The '\' masks the 'linebreak' in the 'bash command'
# You can 'copy & paste' all the lines at once

# From the manual
# Changing to specific IP and Interfaces  
# being:
# 'eth0' your host adapter and
# 'vmnet8' your guest adapter

Esta é a conexão na máquina de destino:

iptables -A FORWARD -p tcp -i eth0 -o vmnet8 -d 192.168.130.128 \
    --dport 22 --sport 2222 -m state --state NEW -j ACCEPT

E estes são o filtro de host interface para seu guest interface e vice-versa.

iptables -A FORWARD -t filter -o eth0 -m state \
         --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -t filter -i vmnet8 -m state \
         --state ESTABLISHED,RELATED -j ACCEPT

Observação

Primeiro, gostaria de me familiarizar com o salvamento e o recarregamento de iptables .

Em seguida, alteraria a opção -A para -I . Isso colocará as regras na primeira posição.

Eu gostaria de pensar em alterar -A para -C , porque iptables solicitará o parâmetro eventualmente ausente.

Pelo menos eu -Z zero o contador de todas as regras e ver o que acontece depois de implementar novas regras.

Mantendo a resposta no caminho certo

Você solicitou tudo isso como ufw manual . Mas se corrigirmos seu problema com back-end , então ufw front-end será fácil.

A origem desta atualização foi encontrada aqui e a licença era CC BY-NC-ND 2.5
e aqui .

    
por 20.06.2015 / 17:43