Simple DNAT not working


#1

I am trying to set up a simple DNAT that redirects Port 2222 on the eth0 side to Port 22 internally.

description "Port Forwarding: TCP 2222 to SSH"
destination {
     address 10.20.45.51
     port 2222
}
inbound-interface eth0
log enable
protocol tcp
translation {
     address 192.168.0.10
     port 22
}

I can SSH into the box from the 192.168.0.X network. When I attempt to SSH over port 2222 from the 10.20.45.X network, I can see the NAT statistics increment when I attempt to access the host. Running tcpdump on the destination shows no traffic. I can SSH into the vyos box from the 10.20.45.X network without issue. So the issue appears to be the vyos box. What am I doing wrong?


#2

can you post your interface config? also, keeping in mind that DNAT happens before firewall, do you have any firewall configuration?


#3

Just the basic firewall config.

Interfaces:

vyos@vyos# show interfaces ethernet
 ethernet eth0 {
     address dhcp
     description PUBLICNET
     duplex auto
     firewall {
         in {
             name PUBLICNET-IN
         }
     }
     hw-id 00:0c:29:b6:16:91
     smp_affinity auto
     speed auto
 }
 ethernet eth1 {
     address 192.168.0.1/24
     description TESTNET
     duplex auto
     hw-id 00:0c:29:b6:16:9b
     smp_affinity auto
     speed auto
 }

Firewall Config:

vyos@vyos# show firewall
 all-ping enable
 broadcast-ping disable
 config-trap disable
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 name PUBLICNET-IN {
     default-action drop
     rule 10 {
         action accept
         state {
             established enable
             related enable
         }
     }
 }
 receive-redirects disable
 send-redirects enable
 source-validation disable
 syn-cookies enable
 twa-hazards-protection disable

#4

A portmap has 2 ingredients, the NAT rule altering the packet, and a firewall rule allowing the packet through.
You miss the firewall part
In ruleset PUBLICNET_IN , add rule 20, allowing tcp traffic to 192.168.0.10:22. (dNAT action comes before firewall, so allow translated packet)


#5

Duh! That fixed it. Thank you very much.