Interesting challenge getting SSH from outside to my VMWare guest

Hi,

I'm working on getting more acquainted with VMWare and the SUSE SLES OS, so I've downloaded and created a guest running SLES 11 SP1. This works great, no problems. However, there's some funny-ness (is that a word?) when I'm attempting/testing to SSH from outside my local LAN into the guest.

Let my sum up my setup:

The VMWare server

  • Is a Windows 7 with LAN-ip 192.168.1.66 (static).
  • The guest is running with a bridged configuration, not NAT.
  • Windows Firewall has been disabled in an attempt to get some data in the SUSE firewall logs.

Another PC in my LAN

  • Is also a Windows 7 with LAN-ip 192.168.1.65 (also static).
  • Connects just fine to the VMWare guest on 192.168.1.77 (see next section).
  • Has Windows Firewall running fine (also attempted to disable)

The SLES guest

  • Is configured with LAN-ip 192.168.1.77 (also static, obviously).
  • SSH port has been changed from 22 -> 1337.
  • The SUSE firewall allows SSH from 192.168.1.0/24 to make it accessible from my LAN area (this is going to be narrowed down later, just to please the security minded people :D)
  • The SUSE firewall DOES NOT allow SSH from outside the LAN, but should be allowed on a IP-by-IP basis.

External Linux Debian VPS
I have an external Linux Debian VPS solution. When I ssh to my WAN IP from this, and supplying port 1337, it just eventually times out, clearly indicating something's amiss somewhere in my configuration.

My ISP-provided router setup

  • Portforwards port 1337 to 192.168.1.77

So, what I'm pondering about is what I can try to get the traffic actually arriving at my guest. I have read alot about running the guest in NAT configuration and then using the VMWare tools to portforward port X to the VMWare's assigned IP address.

I am not really very experienced in networking (which is why I'd really like to avoid a NAT solution until I get a hold of stuff), but I have the idea that if I without further ado can access my VMWare guest from my local LAN just by providing the statically assigned IP, I would figure that I'd get it off just by portforwarding the assigned SSH port directly to my guest's IP?

I hope that I have provided sufficient information but if not I shall happily provide additional details as necessary. I hope that you might be able to push me in the right direction

Could you post the output of these console commands in the guest (have to be run as root):

ifconfig -a
ip route
iptables -L -n

Also, if possible, post the output of traceroute -n <wan ip>

1 Like

Hello Pludi,

Thank you very much for your time!

After a closer inspection I realised that I received "martians" in my /var/log/warn. Having absolutely no idea what it meant, I googled it without being much wiser.

I then realised I had a problem with my routes since I couldn't resolve any DNS or ping the outside world.

I found that a static route was missing, so after issuing

route add -net 0.0.0.0 gw 192.168.1.1 br0

Which made my route look much better

ivmsles01:/var/log # ip route sh
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.77 
127.0.0.0/8 dev lo  scope link 
default via 192.168.1.1 dev br0 

I got back on track, the martians went back to Mars and after a bit of firewalling, my server responded nicely to external hosts as well on SSH.

I'm really sorry that I didn't really do my homework completely before crying out for help - if you get to Denmark some day, I'll buy you a beer for your trouble :slight_smile:

I thought it would be something like that. Glad you found the problem and learned something new.