* Redirecting a Pre-existing SSH Session
@ 2010-07-06 11:28 Wade Gasior
2010-07-06 11:31 ` Jan Engelhardt
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Wade Gasior @ 2010-07-06 11:28 UTC (permalink / raw)
To: netfilter
Hi... I am hoping that someone can help me with routing an already
established SSH session.
I have two physical servers set up: 192.168.1.150 and 192.168.1.160
All external traffic comes in to server .150
Initially, I want all traffic to be served by server 150. So for this
purpose I am leaving the IPTables on .150 empty (for sake of
simplicity).
At a point in time, I want to forward all incoming traffic to be
served by .160 instead.
I have accomplished this using these commands (on .150):
iptables -t nat -A PREROUTING -j DNAT --to 192.168.1.160
iptables -t nat -I POSTROUTING -j MASQUERADE
My problem is that if I have an open SSH connection to .150 (prior to
adding the rules), the packets are still handled by .150 after adding
the rules.. e.g. my SSH session stays active. I want these packets to
be forwarded to .160, which would effectively disconnect the SSH
session in a sense (I will later be performing a live server migration
from 150 to 160, so the SSH session should stay valid). I do not want
the packets flat out dropped, I need them to be forwarded on in
whatever state they are in.
If I try a _NEW_ SSH session, the packets are properly forwarded to .160
Any help would be appreciated to get these packets from the existing
session forwarded.
Thank you!
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: Redirecting a Pre-existing SSH Session
2010-07-06 11:28 Redirecting a Pre-existing SSH Session Wade Gasior
@ 2010-07-06 11:31 ` Jan Engelhardt
2010-07-06 14:34 ` Wade Gasior
2010-07-07 14:33 ` Pascal Hambourg
2010-07-07 16:45 ` Antoine Souques
2 siblings, 1 reply; 5+ messages in thread
From: Jan Engelhardt @ 2010-07-06 11:31 UTC (permalink / raw)
To: Wade Gasior; +Cc: netfilter
On Tuesday 2010-07-06 13:28, Wade Gasior wrote:
>At a point in time, I want to forward all incoming traffic to be
>served by .160 instead.
>I have accomplished this using these commands (on .150):
>
>iptables -t nat -A PREROUTING -j DNAT --to 192.168.1.160
>iptables -t nat -I POSTROUTING -j MASQUERADE
That isn't forwarding, it's address rewriting.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Redirecting a Pre-existing SSH Session
2010-07-06 11:31 ` Jan Engelhardt
@ 2010-07-06 14:34 ` Wade Gasior
0 siblings, 0 replies; 5+ messages in thread
From: Wade Gasior @ 2010-07-06 14:34 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter
Thank you for the clarification. Are there any resources that you
could point me towards that might help me to accomplish what I
outlined?
On Tue, Jul 6, 2010 at 7:31 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
>
> On Tuesday 2010-07-06 13:28, Wade Gasior wrote:
>
>>At a point in time, I want to forward all incoming traffic to be
>>served by .160 instead.
>>I have accomplished this using these commands (on .150):
>>
>>iptables -t nat -A PREROUTING -j DNAT --to 192.168.1.160
>>iptables -t nat -I POSTROUTING -j MASQUERADE
>
> That isn't forwarding, it's address rewriting.
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Redirecting a Pre-existing SSH Session
2010-07-06 11:28 Redirecting a Pre-existing SSH Session Wade Gasior
2010-07-06 11:31 ` Jan Engelhardt
@ 2010-07-07 14:33 ` Pascal Hambourg
2010-07-07 16:45 ` Antoine Souques
2 siblings, 0 replies; 5+ messages in thread
From: Pascal Hambourg @ 2010-07-07 14:33 UTC (permalink / raw)
To: Wade Gasior; +Cc: netfilter
Hello,
Wade Gasior a écrit :
> Hi... I am hoping that someone can help me with routing an already
> established SSH session.
>
> I have two physical servers set up: 192.168.1.150 and 192.168.1.160
>
> All external traffic comes in to server .150
>
> Initially, I want all traffic to be served by server 150. So for this
> purpose I am leaving the IPTables on .150 empty (for sake of
> simplicity).
>
> At a point in time, I want to forward all incoming traffic to be
> served by .160 instead.
> I have accomplished this using these commands (on .150):
>
> iptables -t nat -A PREROUTING -j DNAT --to 192.168.1.160
> iptables -t nat -I POSTROUTING -j MASQUERADE
>
> My problem is that if I have an open SSH connection to .150 (prior to
> adding the rules), the packets are still handled by .150 after adding
> the rules.. e.g. my SSH session stays active. I want these packets to
> be forwarded to .160, which would effectively disconnect the SSH
> session in a sense (I will later be performing a live server migration
> from 150 to 160, so the SSH session should stay valid). I do not want
> the packets flat out dropped, I need them to be forwarded on in
> whatever state they are in.
>
> If I try a _NEW_ SSH session, the packets are properly forwarded to .160
As you observed, iptables NAT rules only apply to new connections, not
already existing ones. This is by design. You could try to delete the
related conntrack entries with conntrack-tools or reject them with the
REJECT target. However neither is a clean solution as it leaves the
connection half-open at the server side.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Redirecting a Pre-existing SSH Session
2010-07-06 11:28 Redirecting a Pre-existing SSH Session Wade Gasior
2010-07-06 11:31 ` Jan Engelhardt
2010-07-07 14:33 ` Pascal Hambourg
@ 2010-07-07 16:45 ` Antoine Souques
2 siblings, 0 replies; 5+ messages in thread
From: Antoine Souques @ 2010-07-07 16:45 UTC (permalink / raw)
To: netfilter
Le 06/07/2010 13:28, Wade Gasior a écrit :
> Hi... I am hoping that someone can help me with routing an already
> established SSH session.
>
> I have two physical servers set up: 192.168.1.150 and 192.168.1.160
>
> All external traffic comes in to server .150
>
> Initially, I want all traffic to be served by server 150. So for this
> purpose I am leaving the IPTables on .150 empty (for sake of
> simplicity).
>
> At a point in time, I want to forward all incoming traffic to be
> served by .160 instead.
> I have accomplished this using these commands (on .150):
>
> iptables -t nat -A PREROUTING -j DNAT --to 192.168.1.160
> iptables -t nat -I POSTROUTING -j MASQUERADE
>
> My problem is that if I have an open SSH connection to .150 (prior to
> adding the rules), the packets are still handled by .150 after adding
> the rules.. e.g. my SSH session stays active. I want these packets to
> be forwarded to .160, which would effectively disconnect the SSH
> session in a sense (I will later be performing a live server migration
> from 150 to 160, so the SSH session should stay valid). I do not want
> the packets flat out dropped, I need them to be forwarded on in
> whatever state they are in.
>
> If I try a _NEW_ SSH session, the packets are properly forwarded to .160
>
> Any help would be appreciated to get these packets from the existing
> session forwarded.
>
> Thank you!
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
Hi,
Why not enable SSH on an unusual port (for instance 1234 or anything) on
a server ?
1) The problem is much easier : iptables works great with port based rules
2) You can at any time contact the both servers. Usefull for instance if
your TCP session expire for any reason.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-07-07 16:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-06 11:28 Redirecting a Pre-existing SSH Session Wade Gasior
2010-07-06 11:31 ` Jan Engelhardt
2010-07-06 14:34 ` Wade Gasior
2010-07-07 14:33 ` Pascal Hambourg
2010-07-07 16:45 ` Antoine Souques
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).