Opening a custom port on AWS

Question

I'm configuring a NAT instance that should redirect all incoming requests on port 2222 to port 22 of a server in a private subnet on my virtual private cloud, so I can connect with SSH straight to my private instance. I have opened port 2222 on the NAT Instance's security group and 22 on my private instance's security group, as well as added on

/etc/ssh/sshd_config

the following lines:

Port 22
Port 2222

nmap on NAT instance shows that port 2222 is open:

PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
111/tcp  open  rpcbind
2222/tcp open  EtherNet/IP-1

I also added this following iptables rule on my NAT instance, hence any packages that comes on port 2222 should be redirected to 10.0.2.18:22 (10.0.2.18 is the private instance IP):

sudo iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination 10.0.2.18:22

The problem is that I can't reach port 2222 of my NAT instance, if I try this:

ssh -p 2222 -i mykey.pem ec2-user@my_nat_ip

or this:

nc -zv my_nat_ip 2222

I get a connection time out.

Thanks in advance any help.

can you paste the Security group rule for your NAT instance? — Piyush Patil, Jun 06 '16 at 18:41
In ssh_config just keep line Port 2222 remove the line Port 22 and check — Piyush Patil, Jun 06 '16 at 18:48
http://pastebin.com/r1D9QtPW here's my security group details — Chittolina, Jun 06 '16 at 18:55
I already tried to remove port 22 and left just port 2222 but it still does not work. I also get connection time out. — Chittolina, Jun 06 '16 at 18:56
If you SSH into your NAT server, can you SSH from it into the private instance? Or does it timeout as well? — Bruno Reis, Jun 06 '16 at 23:37

Bruno Reis · Answer 1 · 2016-06-06T23:45:10.053

A few things for you to check out (assuming you have already ruled out Security Groups):

Check if you haven't denied traffic on your Network ACLs (NACL).
Check if the Route Table for your private subnet is sending traffic to the NAT instance.
Check if you have disabled the Source/Destination Check on your NAT instance.

Also, you might want to enable VPC Flow Logs on your VPC to help you find where those packets might be getting dropped.

And then, another suggestion: you might want to consider an alternative to port forwarding, as this is basically exposing your instance in the private subnet to the dangerous internet. A common approach is to have what is commonly referred to as a Bastion Host. Or a Jump Host. Some people use a NAT instance for this purpose. A few ways to do this would include: (1) use SSH local port forwarding; (2) use SSH dynamic proxy; (3) use the ProxyCommand option on your SSH client. There are plenty of answered questions about all these subjects on StackOverflow and other StackExchange sites, you'll definitely find many ways to do it!

I'll verify this. The problem is that I need to have in some way access to the internet from my private subnet. I'm using a NAT instance because with it I can allow inbound (for ssh) and outbound traffic to get software updates. So in another scenario, for example, using a bastion host, I would need to configure at least a NAT gateway, hence I would can connect to internet from my private subnet. Do you consider this a good solution? — Chittolina, Jun 07 '16 at 12:22

Opening a custom port on AWS

1 Answers1

Linked