Home / server / Questions / 710017
In Process
Huygens
Asked: 2015-08-01 08:16:06 +0800 CST

Opening a port to access a service in an isolated LAN

  • 772

There is an isolated LAN (completely isolated, does not access outside and outside can't access it). But one of the server has 2 NICs, one of which is on our dev LAN and the other one in the isolated LAN.

The goal is from the dev LAN to access specific TCP services inside the isolated LAN. E.g. from the dev LAN (e.g. dev-laptop-01) I want to access the SSH service of a server inside the isolated LAN (e.g. iso-server-01), the server having the "gateway" role (e.g. gw-server) should expose the SSH service on the dev LAN and forward/redirect it to the provider of the service on the isolated LAN.

I wanted to use iptables with the following configuration:

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 10022 -j DNAT --to iso-server-01
iptables -t nat -A POSTROUTING -p tcp -m tcp -s iso-server-01 --sport 22 -j SNAT --to-source gw-server
sysctl net.ipv4.ip_forward=1

But it does not work. From my dev-laptop-01 when I issue ssh -p 10022 gw-server I get a Connection timed out error.

What is the best approach to this problem?

PS: I'm running RHEL 6.6.

iptables

1 Answers

  1. I did not find an answer by using iptables.

    But they are other alternatives:

    SSH

    It is probably possible to "chains" ssh connections to achieve the above result when SSH is the wanted service, but it does not work in other cases.

    It is possible to use SSH tunneling. Something like the following (to be executed on the gw-server, note that gw-server-dev resolv to the IP address of the dev LAN):

    ssh -f -N -L gw-server-dev:10022:iso-server-01:22 <user>@gw-server-dev

    This solution has the elegance that even if the isolated service would not be using encryption, we benefit of encryption thanks to SSH. And it should work on any TCP service.

    The downside is that if this command crash, there is no easy way to restart it. But ssh is quite stable.

    xinet

    I also found that using xinet, it is possible to achieve what I want for any TCP service.

    Here is an example file:

    service iso-server-01-ssh
{
  disable = no
  flags = REUSE
  socket_type = stream
  wait = no
  user = root
  redirect = iso-server-01 22
  log_on_failure += USERID
}

    (It is necessary to have in /etc/services a port corresponding to iso-server-01-ssh. In our above example that would be 10022).

    iptables

    There I don't have an answer. So if you have one that work I will mark your answer as the accepted one. My answer is just there for those looking for a similar solution but who would be fine with the alternatives (I'm also fine with them, I'm just "frustrated" that I could not make iptables do what I wanted ;-) ).

    • 0