Redirecting a Pre-existing SSH Session

Redirecting a Pre-existing SSH Session

[Wade Gasior]

Hi... I am hoping that someone can help me with routing an already
established SSH session.

I have two physical servers set up: 192.168.1.150 and 192.168.1.160

All external traffic comes in to server .150

Initially, I want all traffic to be served by server 150. So for this
purpose I am leaving the IPTables on .150 empty (for sake of
simplicity).

At a point in time, I want to forward all incoming traffic to be
served by .160 instead.
I have accomplished this using these commands (on .150):

iptables -t nat -A PREROUTING -j DNAT --to 192.168.1.160
iptables -t nat -I POSTROUTING -j MASQUERADE

My problem is that if I have an open SSH connection to .150 (prior to
adding the rules), the packets are still handled by .150 after adding
the rules.. e.g. my SSH session stays active. I want these packets to
be forwarded to .160, which would effectively disconnect the SSH
session in a sense (I will later be performing a live server migration
from 150 to 160, so the SSH session should stay valid). I do not want
the packets flat out dropped, I need them to be forwarded on in
whatever state they are in.

If I try a _NEW_ SSH session, the packets are properly forwarded to .160

Any help would be appreciated to get these packets from the existing
session forwarded.

Thank you!

Re: Redirecting a Pre-existing SSH Session

[Jan Engelhardt]

On Tuesday 2010-07-06 13:28, Wade Gasior wrote:

>At a point in time, I want to forward all incoming traffic to be
>served by .160 instead.
>I have accomplished this using these commands (on .150):
>
>iptables -t nat -A PREROUTING -j DNAT --to 192.168.1.160
>iptables -t nat -I POSTROUTING -j MASQUERADE

That isn't forwarding, it's address rewriting.

Re: Redirecting a Pre-existing SSH Session

[Wade Gasior]

Thank you for the clarification. Are there any resources that you
could point me towards that might help me to accomplish what I
outlined?

On Tue, Jul 6, 2010 at 7:31 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
>
> On Tuesday 2010-07-06 13:28, Wade Gasior wrote:
>
>>At a point in time, I want to forward all incoming traffic to be
>>served by .160 instead.
>>I have accomplished this using these commands (on .150):
>>
>>iptables -t nat -A PREROUTING -j DNAT --to 192.168.1.160
>>iptables -t nat -I POSTROUTING -j MASQUERADE
>
> That isn't forwarding, it's address rewriting.
>
>

Re: Redirecting a Pre-existing SSH Session

[Pascal Hambourg]

Hello,

Wade Gasior a écrit :
> Hi... I am hoping that someone can help me with routing an already
> established SSH session.
> 
> I have two physical servers set up: 192.168.1.150 and 192.168.1.160
> 
> All external traffic comes in to server .150
> 
> Initially, I want all traffic to be served by server 150. So for this
> purpose I am leaving the IPTables on .150 empty (for sake of
> simplicity).
> 
> At a point in time, I want to forward all incoming traffic to be
> served by .160 instead.
> I have accomplished this using these commands (on .150):
> 
> iptables -t nat -A PREROUTING -j DNAT --to 192.168.1.160
> iptables -t nat -I POSTROUTING -j MASQUERADE
> 
> My problem is that if I have an open SSH connection to .150 (prior to
> adding the rules), the packets are still handled by .150 after adding
> the rules.. e.g. my SSH session stays active. I want these packets to
> be forwarded to .160, which would effectively disconnect the SSH
> session in a sense (I will later be performing a live server migration
> from 150 to 160, so the SSH session should stay valid). I do not want
> the packets flat out dropped, I need them to be forwarded on in
> whatever state they are in.
> 
> If I try a _NEW_ SSH session, the packets are properly forwarded to .160

As you observed, iptables NAT rules only apply to new connections, not
already existing ones. This is by design. You could try to delete the
related conntrack entries with conntrack-tools or reject them with the
REJECT target. However neither is a clean solution as it leaves the
connection half-open at the server side.

Re: Redirecting a Pre-existing SSH Session

[Antoine Souques]

Le 06/07/2010 13:28, Wade Gasior a écrit :
> Hi... I am hoping that someone can help me with routing an already
> established SSH session.
>
> I have two physical servers set up: 192.168.1.150 and 192.168.1.160
>
> All external traffic comes in to server .150
>
> Initially, I want all traffic to be served by server 150. So for this
> purpose I am leaving the IPTables on .150 empty (for sake of
> simplicity).
>
> At a point in time, I want to forward all incoming traffic to be
> served by .160 instead.
> I have accomplished this using these commands (on .150):
>
> iptables -t nat -A PREROUTING -j DNAT --to 192.168.1.160
> iptables -t nat -I POSTROUTING -j MASQUERADE
>
> My problem is that if I have an open SSH connection to .150 (prior to
> adding the rules), the packets are still handled by .150 after adding
> the rules.. e.g. my SSH session stays active. I want these packets to
> be forwarded to .160, which would effectively disconnect the SSH
> session in a sense (I will later be performing a live server migration
> from 150 to 160, so the SSH session should stay valid). I do not want
> the packets flat out dropped, I need them to be forwarded on in
> whatever state they are in.
>
> If I try a _NEW_ SSH session, the packets are properly forwarded to .160
>
> Any help would be appreciated to get these packets from the existing
> session forwarded.
>
> Thank you!
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>    
Hi,

Why not enable SSH on an unusual port (for instance 1234 or anything) on 
a server ?
1) The problem is much easier : iptables works great with port based rules
2) You can at any time contact the both servers. Usefull for instance if 
your TCP session expire for any reason.