Solved Route SSH to internal virtual network via centos7 vm router
-
Hello, posted this on server fault but not much interest over there.
I'm trying to route ssh traffic to vm servers in isolated network on a centos7 KVM host. Can ping from either side but ssh times out.
I'm connected to my home router from work via vpn.
i have a static route to the external interface on centos7 vm router (functioning correctly with ip forwarding etc).
Internal vm, anohter centos7 server can update from internet and ping lan clients and vice versa
When i try to ssh to the internal vm from work pc it times out. firewalld on both vm router(internal and external interfaces) and internal server has ssh enabled in services
Setup:
10.0.1.2 - vpn client (win7)
10.0.0.20 - ext if vm router
10.0.10.2 - int if vm router
10.0.10.10 - internal centos7 serverVPN Config:
push "route 10.0.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"i will be adding more servers to this internal network so i don't want to just forward port 22 to 10.0.10.10 i need it forwarded to 10.0.10.* while also still retaining the ability to manage the vm router via ssh on the external ip.
I can ssh to the server (10.0.10.10) from 10.0.0.0 and 10.0.10.0 networks
This is part of a test lab
-
So to get this to work i needed to use this firewalld line:
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -i eth1 -j ACCEPTeth1 is the external interface on the vm router.
does this effectively render the firewall pointless though?
-
A single port can only be forwarded to one place. There is no possible way to forward one ip/port combination to more than one place, how would it know to which destination to route it?
-
@scottalanmiller i suppose what i don't understand here is why i can ping 10.0.10.10 from 10.0.1.2, get a reply and vice versa, but why is ssh being blocked?
is there not a cmd i can pass to firewalld to allow ssh?
-
Wouldn’t you need to add another route to your VPN config to have full access to internal network?
push "route 10.0.10.0 255.255.255.0" -
@black3dynamite if that was the case then ping wouldn't work though, no?
trace from 10.0.1.2
Tracing route to 10.0.10.10 over a maximum of 30 hops1 11 ms 15 ms 30 ms 10.0.1.1
2 16 ms 11 ms 11 ms 10.0.0.20
3 12 ms 12 ms 13 ms 10.0.10.10Trace complete.
i will try it out now
[edit]
this didn't help. -
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@scottalanmiller i suppose what i don't understand here is why i can ping 10.0.10.10 from 10.0.1.2, get a reply and vice versa, but why is ssh being blocked?
is there not a cmd i can pass to firewalld to allow ssh?
Oh, is there no NAT here? Just wide open? I missed that.
-
You can shut down the firewall completely on the router for testing.
-
@scottalanmiller the image up top is the physical router which has the vpn service running on it (DDWRT), that's the route table with NAT to 10.0.10.0 via the virtual external nic 10.0.0.20, ipv4 forwarding is enabled, nics have zones assigned (int/ext).
i can ssh to the internal nic on the vm router 10.0.10.2, however i cannot ssh to the server 10.0.10.10 which sits behind this vm router, i just thought a rule needed adding to firewalld to allow ssh traffic through too, as pings already are.
-
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@scottalanmiller the image up top is the physical router which has the vpn service running on it (DDWRT), that's the route table with NAT to 10.0.10.0 via the virtual external nic 10.0.0.20, ipv4 forwarding is enabled, nics have zones assigned (int/ext).
i can ssh to the internal nic on the vm router 10.0.10.2, however i cannot ssh to the server 10.0.10.10 which sits behind this vm router, i just thought a rule needed adding to firewalld to allow ssh traffic through too, as pings already are.
Can you ssh from an IP in the same subnet, i.e. traffic not crossing the router? This will allow you to eliminate the firewall on the host. Since traces and pings are working then you know your routing is correct. Depending on how your VPN is configured it may need a specific rule in the VPN settings to allow traffic instead of configuring it in the firewall settings (not familiar with the particulars of DDWRT).
-
What VPN are using on your DD-WRT? OpenVPN?
-
@black3dynamite aye, with certs and the client on my work laptop.
-
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@black3dynamite aye, with certs and the client on my work laptop.
I've only setup OpenVPN on pfSense with great success.
On this website...
https://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/Does your config looks somewhat similar this?
What about your firewall rules?
-
@black3dynamite so my config box looks exactly like what i posted in the OP, idk if its the cause of diff ddwrt builds but any extra settings i put in there caused the vpn service to fail to start so i left it minimal as it just worked.
firewall looks like this
iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT iptables -I FORWARD 1 –source 10.0.1.0/24 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADEobvs 443 to bypass work fw.
-
@kelly yes i can ssh from the vm router (10.0.10.2) to the server (10.0.10.10), basically same as another machine. i can ssh from my kvm host (10.0.0.10) to the server (10.0.10.10)
-
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@black3dynamite so my config box looks exactly like what i posted in the OP, idk if its the cause of diff ddwrt builds but any extra settings i put in there caused the vpn service to fail to start so i left it minimal as it just worked.
firewall looks like this
iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT iptables -I FORWARD 1 –source 10.0.1.0/24 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADEobvs 443 to bypass work fw.
You don't have an outbound rule. I'm not an iptables guru, but from what I've read it sounds like you need an explicit rule.
-
@kelly said in Route SSH to internal virtual network via centos7 vm router:
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@black3dynamite so my config box looks exactly like what i posted in the OP, idk if its the cause of diff ddwrt builds but any extra settings i put in there caused the vpn service to fail to start so i left it minimal as it just worked.
firewall looks like this
iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT iptables -I FORWARD 1 –source 10.0.1.0/24 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADEobvs 443 to bypass work fw.
You don't have an outbound rule. I'm not an iptables guru, but from what I've read it sounds like you need an explicit rule.
Reference: https://unix.stackexchange.com/questions/136190/iptables-rule-to-allow-incoming-ssh-connections.
-
@kelly said in Route SSH to internal virtual network via centos7 vm router:
@kelly said in Route SSH to internal virtual network via centos7 vm router:
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@black3dynamite so my config box looks exactly like what i posted in the OP, idk if its the cause of diff ddwrt builds but any extra settings i put in there caused the vpn service to fail to start so i left it minimal as it just worked.
firewall looks like this
iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT iptables -I FORWARD 1 –source 10.0.1.0/24 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADEobvs 443 to bypass work fw.
You don't have an outbound rule. I'm not an iptables guru, but from what I've read it sounds like you need an explicit rule.
Reference: https://unix.stackexchange.com/questions/136190/iptables-rule-to-allow-incoming-ssh-connections.
so i shutdown the firewall on the centos vm router and i was able to connect to the internal server.
definitely need to look into firewalld
-
So to get this to work i needed to use this firewalld line:
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -i eth1 -j ACCEPTeth1 is the external interface on the vm router.
does this effectively render the firewall pointless though?
-
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router
does this effectively render the firewall pointless though?
Yep. You need to do port forwarding too have an effective firewall.
I wouldn't recommend CentOS as a router. It can do the job, but was not designed for it.
I'v been using a VyOS software firewall for my home lab, which seems to do a very good job with few system resources needed. Plus it's used the same sort of command line environment that many hardware firewalls do, so I learned how to use many more things than just VyOS.Edited for phone auto spell weirdness.
-
@travisdh1 ahhh, i had a feeling that was going to be the answer :persevering_face:. Thanks tho, i'll definitely check this out!
