I am trying to set up a simple DNAT that redirects Port 2222 on the eth0 side to Port 22 internally.
description "Port Forwarding: TCP 2222 to SSH"
destination {
address 10.20.45.51
port 2222
}
inbound-interface eth0
log enable
protocol tcp
translation {
address 192.168.0.10
port 22
}
I can SSH into the box from the 192.168.0.X network. When I attempt to SSH over port 2222 from the 10.20.45.X network, I can see the NAT statistics increment when I attempt to access the host. Running tcpdump on the destination shows no traffic. I can SSH into the vyos box from the 10.20.45.X network without issue. So the issue appears to be the vyos box. What am I doing wrong?
vyos@vyos# show interfaces ethernet
ethernet eth0 {
address dhcp
description PUBLICNET
duplex auto
firewall {
in {
name PUBLICNET-IN
}
}
hw-id 00:0c:29:b6:16:91
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.0.1/24
description TESTNET
duplex auto
hw-id 00:0c:29:b6:16:9b
smp_affinity auto
speed auto
}
Firewall Config:
vyos@vyos# show firewall
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name PUBLICNET-IN {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
A portmap has 2 ingredients, the NAT rule altering the packet, and a firewall rule allowing the packet through.
You miss the firewall part
In ruleset PUBLICNET_IN , add rule 20, allowing tcp traffic to 192.168.0.10:22. (dNAT action comes before firewall, so allow translated packet)