I'm configuring a NAT instance that should redirect all incoming requests on port 2222 to port 22 of a server in a private subnet on my virtual private cloud, so I can connect with SSH straight to my private instance. I have opened port 2222 on the NAT Instance's security group and 22 on my private instance's security group, as well as added on
/etc/ssh/sshd_config
the following lines:
Port 22
Port 2222
nmap on NAT instance shows that port 2222 is open:
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
2222/tcp open EtherNet/IP-1
I also added this following iptables rule on my NAT instance, hence any packages that comes on port 2222 should be redirected to 10.0.2.18:22 (10.0.2.18 is the private instance IP):
sudo iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination 10.0.2.18:22
The problem is that I can't reach port 2222 of my NAT instance, if I try this:
ssh -p 2222 -i mykey.pem ec2-user#my_nat_ip
or this:
nc -zv my_nat_ip 2222
I get a connection time out.
Thanks in advance any help.
A few things for you to check out (assuming you have already ruled out Security Groups):
Check if you haven't denied traffic on your Network ACLs (NACL).
Check if the Route Table for your private subnet is sending traffic to the NAT instance.
Check if you have disabled the Source/Destination Check on your NAT instance.
Also, you might want to enable VPC Flow Logs on your VPC to help you find where those packets might be getting dropped.
And then, another suggestion: you might want to consider an alternative to port forwarding, as this is basically exposing your instance in the private subnet to the dangerous internet. A common approach is to have what is commonly referred to as a Bastion Host. Or a Jump Host. Some people use a NAT instance for this purpose. A few ways to do this would include: (1) use SSH local port forwarding; (2) use SSH dynamic proxy; (3) use the ProxyCommand option on your SSH client. There are plenty of answered questions about all these subjects on StackOverflow and other StackExchange sites, you'll definitely find many ways to do it!
Related
I'm trying to find out if GCP supports the ability to forward ALL ports to a single one.
Currently I'm "manually" setting firewall rules on each instance using the following iptable rule.
iptables -t nat -A PREROUTING -p tcp --dport 1:65535 -j REDIRECT --to-ports 10000
This is not fun to manage because I'm using docker and don't want to manage the VM directly.
The flow I'm trying to implement is as follows:
Received TCP request (Ingres)
Load balance request (GCP TCP-LB)
Redirect ALL requests to port 10000 (???)
Docker container listening on port 10000
You can use one of these two options:
1.- Using a VM instance as a bastion host and be used as NAT gateway for your other instances.
2.- Use Cloud NAT directly or with protocol forwarding that will be something similar to what you are trying to implement.
According this AWS doc: Scenario 2: VPC with Public and Private Subnets (NAT) I have my own VPC with two subnets: private and public. In public subnet I have deployed an Ubuntu 16.04 Instance with assigned EIP. It also has next security group inbound rules:
Type Protocol Port Range Source Description
SSH TCP 22 xx.xx.xx.xx/32 Home IP
and outbound accordingly:
Type Protocol Port Range Source Description
SSH TCP 22 sg-xxprivatexx Security group ID for instance in private subnet
Looks nice, I can ssh it externally from my home. No problem.
In private subnet I have deployed another one Ubuntu 16.04 machine with next security group (inbound rules):
Type Protocol Port Range Source Description
HTTP TCP 80 sg-xxpublicxxx Security Group ID for bastion instance in public subnet
SSH TCP 22 sg-xxpublicxxx -
and no outbound rules (actually it has 80, 443 outbound ports opened, but its not an interesting part as I guess). And I still can reach this virtual machine using ssh from my bastion.
Right now I just want to make only one simple thing - run ssh port forwarding so I can run localhost:8080 on my home PC browser and see the webpage I published on my private instance. If I understand it correctly from here and here (and from here as well) I have to run something like:
ssh -N -v -L 8080:10.0.1.112:80 ubuntu#3.121.46.99
Which as I guess basically means: just forward a traffic from private subnet instance with IP 10.0.1.112:80 to my localhost:8080 through my bastion VM with username ubuntu hosted on EIP 3.121.46.99.
Debug ends with lines:
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:ZyVHgnF8z5vE5gfNr1S2JDfjhdydZVTNevPRgJZ+sRA /home/matterai/.ssh/key.pem
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/matterai/.ssh/id_rsa
debug1: Trying private key: /home/matterai/.ssh/id_dsa
debug1: Trying private key: /home/matterai/.ssh/id_ecdsa
debug1: Trying private key: /home/matterai/.ssh/id_ed25519
debug1: No more authentication methods to try.
matterai#3.121.46.99: Permission denied (publickey).
I am playing around it few days and I still can't get what am I doing wrong. Its so strange: I can ssh -A (to allow forwarding) to my bastion, I can ssh to my private instance from bastion. But I cant establish SSH tunnel to see my webpage (in the future it will be mongodb) without an error. Need some advice or point to the right direction, please! Thank you.
UPD#1
Ok then. If I make manual forwarding using my local machine and my bastion, I get an expected result. Basically it means run this command on bastion:
ubuntu#bastion: ssh -v -N -L 5000:localhost:8000 ubuntu#10.0.1.68
After that runs command on local/home machine:
matterai#homepc: ssh -v -N -L 5000:localhost:5000 ubuntu#3.121.46.99
When I make a request to localhost:5000 on my local machine, I can see the result page. May I and how if it's possible to combine this two commands? (spoiler: yes, it's possible: see the answer!)
Ok, it's easy. Hope my answer will help somebody.
You need to use ssh -J option to connect through your bastion virtual machine:
-J [user#]host[:port]
Connect to the target host by first making a ssh connection to
the jump host and then establishing a TCP forwarding to the ulti‐
mate destination from there. Multiple jump hops may be specified
separated by comma characters. This is a shortcut to specify a
ProxyJump configuration directive.
Then you need to forward traffic from your destination virtual machine port (:8000) where the app (or database) started to your localhost port (:5001) using ssh -L:
-L [bind_address:]port:host:hostport
-L [bind_address:]port:remote_socket
-L local_socket:host:hostport
-L local_socket:remote_socket
Specifies that connections to the given TCP port or Unix socket
on the local (client) host are to be forwarded to the given host
and port, or Unix socket, on the remote side. This works by
allocating a socket to listen to either a TCP port on the local
side, optionally bound to the specified bind_address, or to a
Unix socket. Whenever a connection is made to the local port or
socket, the connection is forwarded over the secure channel, and
a connection is made to either host port hostport, or the Unix
socket remote_socket, from the remote machine.
Port forwardings can also be specified in the configuration file.
Only the superuser can forward privileged ports. IPv6 addresses
can be specified by enclosing the address in square brackets.
By default, the local port is bound in accordance with the
GatewayPorts setting. However, an explicit bind_address may be
used to bind the connection to a specific address. The
bind_address of “localhost” indicates that the listening port be
bound for local use only, while an empty address or ‘*’ indicates
that the port should be available from all interfaces.
Full ssh command will look like:
matterai#homepc: ssh -v -N -A -J ubuntu#3.121.46.99 -L 5001:localhost:8000 ubuntu#10.0.1.112
UPD: Also you can simplify a bit your command. In ~/.ssh/config you can add your jumphost (bastion) and your final destination VM IP:
Host bastion
HostName 3.121.46.99
User ubuntu
Port 22
IdentityFile ~/.ssh/secret.pem
ForwardAgent yes
Host server
HostName 10.0.1.112
User ubuntu
Port 22
IdentityFile ~/.ssh/secret.pem
ProxyJump bastion
Now, you can run command:
ssh -v -N -A -J bastion -L 80:localhost:8000 server
Looks much better. Also you can just simply connect via ssh using ssh server.
You seem to have things correctly configured, but the error is saying that it can't find a private key to use for the connection.
To test the port forwarding, start by using the ssh command that logs into your public instance.
Then, take that exact command, and simply add: -L 8080:10.0.1.112:80
If it works for 'normal' ssh, then it will work with port forwarding too.
By the way, in general you should never need to modify the outbound rules of a security group. The default settings permit all outbound traffic. This 'trusts' the apps running on the instance and allows them to communicate outwards to anywhere. You would only need to restrict such rules where you wish to enforce a high-security environment.
I have a simple VPC on Amazon EC2 with two instances: an SFTP server, and a web server. I want to route incoming traffic from the internet on port 22 to the SFTP server and ports 80 and 443 to the web server.
I'm having trouble finding exactly how to do this. It's extremely simple with all hardware routers I've ever used.
Can anyone point me to documentation/examples/or just tell me how to do it?
Edit:
I wasn't clear that I want remote hosts to be able to make a request to a single IP address, but on different ports, and have different ports routed to different instances; I already have my security groups set so I can accept traffic to the public IP addresses of each instance.
Below are the steps you will need to follow to achieve your use case.
As you said both servers are in VPC you need to make sure they are
in a Public Subnet with a internet gateway attached to it.(This can
be achieved in Private subnet too but will become more complex
process for you) For more information check this
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario1.html
EC2 Server 1 for SFTP you need to open SSH port 22 in the security group by adding your IP address or open to world rule. Then you can SFTP using your preferred SFTP client.
EC2 Server 2 for port 80 and 443. you need to add two rules in the security group for your instance. Check below screenshot. Once that is done you will be able to route http traffic through port 80 and 443.
More information on security groups is here.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
About your Edit. You have to run a instance in front of both the instance.
Add a HTTP proxy to this new created instance. And then the port redirect should be achieved using IP Tables. Check this below IP tables config you need to add to that server. Let say your HTTP proxy server is Server 1. Port 22 server is Server 2 and Port 80 and 443 Server is Server 3. So Server 1 IP tables will have below rules.
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination <Server3-IP>:80
iptables -t nat -A POSTROUTING -p tcp -d <Server3-IP> --dport 80 -j SNAT --to-source <Server1-IP>
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination <Server2-IP>:80
iptables -t nat -A POSTROUTING -p tcp -d <Server2-IP> --dport 22 -j SNAT --to-source <Server1-IP>
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination <Server3-IP>:80
iptables -t nat -A POSTROUTING -p tcp -d <Server3-IP> --dport 443 -j SNAT --to-source <Server1-IP>
As of today, Amazon Elastic Load Balancers have a new "Application Load Balancer" mode which supports routing requests to different EC2 instances based on things such as the HTTP path, and port.
To set this up, do the following:
Create a new ELB, using the new "Application Load Balancer" mode.
Create one target group for port 22.
Add your EC2 instances that will be the SSH targets to this target group.
Create another target group for ports 80 and 443.
Add your EC2 instances that will be the HTTP/HTTPs targets to this target group.
Using this system, SSH requests to the ELB will be forwarded to the SSH instance, and HTTP/HTTPs requests to the ELB will be forwarded to the web servers
two instances:
1.- Orion with 192.168.x.1, public like 130.a.b.c
2.- Keystone with 192.168.x.2. Port 8000 opened and tested from localhost
3.- instances have the same routing rule group.
I edit my security group rules adding port 8000 with a cidr 192.168.x.2/32. Now i test it with telnet from my computer:
telnet 130.a.b.c 8000
result: Connection time out.
i'm wrong? how can i connect to port 8000 from my computer to my second instance using the public Ip (configured in first instance) ? Or need a second public Ip?
There are many ways to do this: IPForwarding with iptables, haproxy, etc.
However, I thinK that the easiest way to do this would be SSH Port forwarding in your host with the public IP:
ssh -f -N -o ServerAliveInterval=30 -L 0:8000:192.168.x.2:8000 $YOUR_USER#192.168.x.1:8000
-L 0:8000:192.168.x.2:8000 means that It'll listen every network interface (0:8000) and will send every query to 192.168.x.2:8000
If you don't have a password to your user or ssh is not configured to accept passwords, you could consider either adding a new authorized key (so you can locally login) or connecting your public IP using -A so your credentials can be forwarded:
*ssh -A -i $PRIVATE_KEY_FILE $YOUR_USER#130.a.b.c
Currently, I have a NAT instance in AWS with some iptables rules, such as to forward the traffic that comes in a certain port to some other instance. So, if I do curl nat.address.com:8090, the traffic is forwarded to some other instance that is listening to the 8090 port, let's say it is instance A.
What I want is to know how to apply this rule only if the original source is inside the local network. That is, if the request to nat.address.com:8090comes from an internal instance with ip 172.31.10.10, the nat instance should forward it to instance A. However, if the request to nat.address.com:8090 comes from some external source (e.g. 189.58.200.10), it should not forward.
Is it possible?
As stated in Documentation you can use the -s option:
-s, --source [!] address[/mask]
Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option.
For example:
iptables -t nat -A POSTROUTING -s 172.31.10.0/24 -j MASQUERADE
You can do this in one of two ways:
(1) Security Group rules:
You can add appropriate rules in the Security Group(s) which is associated with your NAT instance. This will block inbound flow of all packets on port 8090 that are originating from any source which is not your internal instance.
For ex: If you would like to forward packets which are originating from a particular instance with IP 172.31.10.10, you would add an inbound rule in the Security Group of your NAT instance which would look like:
Type: Custom TCP Rule
Protocol: TCP
Port Range: 8090
Source: 172.31.10.10
And you have to make sure that there are no other rules inside the Security Group which would allow traffic on TCP port 8090 from any other source.
And if you would like to make sure that your NAT instance forwards traffic from all the internal instances inside your VPC, then you can edit the Source field to include the CIDR range of your VPC.
This option would be suitable only if you are aware of the network traffic that hits your NAT instance so that you can appropriately add the rules inside your Security Group to match your incoming traffic, otherwise you will end up blocking the meaningful traffic as well.
(2) IPTable rules:
This option requires you to add IPTable rules on your NAT instance such that your NAT instance will only accept network traffic from a specific network (which is your VPC) and only from a specific TCP port. For ex, if you would like to make sure your NAT instance only accepts traffic from your internal instances (i.e. instances inside your VPC) on port 8090, then the following rules would apply:
$ iptables -A INPUT -i eth0 -p tcp -s 172.31.0.0/16 --dport 8090 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o eth0 -p tcp --sport 8090 -m state --state ESTABLISHED -j ACCEPT