Community discussions

MikroTik App
  4. RouterOS
  5. General

reverse proxy to connect to NATed ssh

Post Reply
 
theblop
just joined
Topic Author
Posts: 12
Joined: Thu Apr 23, 2009 12:45 am

reverse proxy to connect to NATed ssh

Tue Jan 12, 2010 6:14 pm

Hi,

I'm trying to set up a reverse proxy for ssh connections to my NATed servers (using ROS 3.23 on RB450G) - I can't use DNAT or port forwarding because I have only one public IP and I'd like to access my servers via a "standard" port (80 for example, as that's always accessible from corporate firewalls)

My NAT setup is simple: public (1.2.3.4/32) and private (10.0.0.0/8) interfaces with srcnat masquerading:
Code: Select all
/ip address print
0   1.2.3.4/32          1.2.3.4           1.2.3.4               public
1   10.0.0.1/8          10.0.0.0         10.255.255.255    private

/ip firewall nat print
 0   ;;; NAT Masquerade
     chain=srcnat action=masquerade src-address=10.0.0.0/8
I have a few ssh servers running behind the NAT on 10.0.0.0/8 and I thought I could use the Mikrotik proxy to access them from the public IP via the http CONNECT method.
For example here is my setup for the ssh server running on 10.0.0.2:
Code: Select all
/ip proxy print
                 enabled: yes
                 src-address: 1.2.3.4
                 port: 80
                 ... (default settings)

/ip proxy access print detail
 0   dst-port=22 dst-host=10.0.0.2 method=CONNECT action=allow
 1   src-address=0.0.0.0/0 action=deny
I use this proxy with putty (with http proxy configured) or corkscrew on linux, the proxy is set to 1.2.3.4 port 80 and the proxy connection looks like that:
Code: Select all
CONNECT 10.0.0.2:22 HTTP/1.0
The client actually connects to the NATed ssh server but I don't get any prompt back (it eventually times out). I wonder if the router and/or proxy knows what to do with the packets coming back from the NATed server.
I can see with tcpdump on the ssh server that it actually sends a prompt back but it never reaches the client:
Code: Select all
...
15:59:06.549164 IP 10.0.0.2.ssh > 1.2.3.4.39360: Flags [P.], seq 1:33, ack 1, win 724, options [nop,nop,TS val 76274266 ecr 60744232], length 32
E..T..@.@.~.
...^..1......b..........W.....
...Z...(SSH-2.0-OpenSSH_5.1p1 De
15:59:06.549415 IP 1.2.3.4.39360 > 10.0.0.2.ssh: Flags [.], ack 33, win 1460, options [nop,nop,TS val 60744232 ecr 76274266], length 0
# That's the last packet sent
The NATed ssh to replies to the router's public IP instead of the external client, maybe that's the problem?

Any idea about what I'm doing wrong?

Thanks!

-- Arnaud
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: reverse proxy to connect to NATed ssh

Tue Jan 12, 2010 6:41 pm

Why can't you use port forwarding and rewrite the port?
Code: Select all
/ip firewall nat
add chain=dstnat action=dst-nat protocol=tcp dst-port=80 in-interface=<your WAN interface> dst-address=1.2.3.4 to-addresses=10.0.0.2 to-ports=22
Also, when you're masquerading it's best to specify an out-interface.
Top
 
theblop
just joined
Topic Author
Posts: 12
Joined: Thu Apr 23, 2009 12:45 am

Re: reverse proxy to connect to NATed ssh

Tue Jan 12, 2010 6:59 pm

Why can't you use port forwarding and rewrite the port?
Because I have several ssh servers behind the NAT and only 1 public IP address.
Top
Post Reply
  4. RouterOS
  5. General