SSH Rredirection

[Juliet]

Hi,
I have a K8S cluser installed on proxmox host.
To access VMs created in Proxmox, I obliged to connect to the Proxmox server and then make another SSH connection to the desired VM .
This is not very practical in addition to posing obvious security problems.

is there a way please to do a SSH redirection HOST=> VM ?

I have tried this, but it didnt work :

# redirection to the web server
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 32768 -j DNAT --to 192.168.1.2:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 32768 -j DNAT --to 192.168.1.2:22

where the 192.168.1.2 is the @ip of the master node.

thanks a lot

 

[garnus]

Maybe ssh -J ?

 

[Juliet]

Maybe ssh -J ?

coild you explain more please ?

 

[garnus]

From man
-J destination
Connect to the target host by first making an ssh connection to the jump host described by destination and then establishing a TCP forwarding to the ultimate destination from there. Multiple jump hops may be specified
separated by comma characters. This is a shortcut to specify a ProxyJump configuration directive. Note that configuration directives supplied on the command-line generally apply to the destination host and not any
specified jump hosts. Use ~/.ssh/config to specify configuration for jump hosts."

So you can to ssh -J user@proxmox_node other@192.168.1.2
You can write it in the .ssh/config
Host vm-in-proxmox
HostName 192.168.1.2
ProxyJump proxmox_node

and than simply:
ssh vm-in-proxmox

 

[Juliet]

From man
-J destination
Connect to the target host by first making an ssh connection to the jump host described by destination and then establishing a TCP forwarding to the ultimate destination from there. Multiple jump hops may be specified
separated by comma characters. This is a shortcut to specify a ProxyJump configuration directive. Note that configuration directives supplied on the command-line generally apply to the destination host and not any
specified jump hosts. Use ~/.ssh/config to specify configuration for jump hosts."

So you can to ssh -J user@proxmox_node other@192.168.1.2
You can write it in the .ssh/config
Host vm-in-proxmox
HostName 192.168.1.2
ProxyJump proxmox_node

and than simply:
ssh vm-in-proxmox

Hi,
thanks for you time and reply.
if I understand, what I'm looking for is to avoid connecting to the proxmox Host in order to hit the master node.
I want to hit the master node direcrly via SSH.

 

[garnus]

Try this:

iptables -A PREROUTING -t nat -i vmbr0 -p tcp --dport 32768 -j DNAT --to 192.168.1.2:22
iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 22 -j ACCEPT

 

[Juliet]

Try this:

iptables -A PREROUTING -t nat -i vmbr0 -p tcp --dport 32768 -j DNAT --to 192.168.1.2:22
iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 22 -j ACCEPT

I did it, and i reboot peoxmox node, but nothing happen.
i cant do ssh directly into 192.168.1.2

 

[garnus]

Can you post the network configuration from the proxmox host?
Iptables config would be helpful too( iptables -n -L -t nat, iptables -n -L).
Do you have forwarding enabled?(https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux)
Do you see the ssh traffic on the 192.168.1.2 in tcpdump?

 

[Juliet]

Can you post the network configuration from the proxmox host?
Iptables config would be helpful too( iptables -n -L -t nat, iptables -n -L).
Do you have forwarding enabled?(https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux)
Do you see the ssh traffic on the 192.168.1.2 in tcpdump?

thanks from you help:
here's the /etc/network/interface

vmbr0 is for the host
vmbr2 is for the vms


Do you have forwarding enabled?(https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux)
=> I have no idea
Do you see the ssh traffic on the 192.168.1.2 in tcpdump?
=> traffic of what ? can you tell the command to use I can test it.

 

[garnus]

1) Do you have forwarding enabled?(https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux)
=> I have no idea --> you have, line that starts with post-up echo 1 > /proc....ip_forwarding
2) I would suggest to point the redirection to some other port like 4444(instead 22) in the ipbtables. Then on the VM open the port with

nc -l -p 4444

open a console on the proxmox host and

sudo tcpdump -i any port 4444

Then from your host try to connect to the port

echo "test" | nc external_proxmox_ip 4444

You should see some traffic on the console with tcpdump and this would debugging the issue.

 

[Juliet]

1) Do you have forwarding enabled?(https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux)
=> I have no idea --> you have, line that starts with post-up echo 1 > /proc....ip_forwarding
2) I would suggest to point the redirection to some other port like 4444(instead 22) in the ipbtables. Then on the VM open the port with

nc -l -p 4444

open a console on the proxmox host and

sudo tcpdump -i any port 4444

Then from your host try to connect to the port

echo "test" | nc external_proxmox_ip 4444

You should see some traffic on the console with tcpdump and this would debugging the issue.

let me test this then I will get you back

 

[Juliet]

let me test this then I will get you back

the same issue

 

[garnus]

I need some help from you to debug this, you didn't post iptables output and no tcpdump output.