# Connection refused when forwarding ssh to VM on default port

## avitase

I want to ssh to my virtualbox via default port 22. In order to do so I already activated port forwarding of the virtualbox:

Host:3022 -> VM:22

such that ssh -p 3022 localhost works fine. Now I want to add another port forwarding using iptables to achieve:

Host:22 -> (forward) Host:3022 -> VM:22

such that 

```
$ ssh locahost
```

, as well as from outside 

```
$ ssh host
```

 will end up in my VM (I changed the ssh port of the host from 22 to 222)

This is my current approach

```
# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

DNAT       tcp  --  anywhere             anywhere             tcp dpt:ssh to:127.0.0.1:3022

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination
```

and 

```
# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     tcp  --  anywhere             localhost            tcp dpt:3022 state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination
```

Anyhow, 

```
$ ssh -p 3022 localhost
```

 works, whereas 

```
$ ssh localhost
```

 does not, but throws 

```
ssh: connect to host localhost port 22: Connection refused
```

I set 

```
net.ipv4.ip_forward = 1
```

 in the /etc/sysctl.conf and activated all kernel modules mentioned in https://wiki.gentoo.org/wiki/Iptables (kernel .config: https://pastebin.com/iRrV8tHH).

These are the commands, that I used to install the iptable rules:

```
iptables -t nat -A PREROUTING -p tcp -i eno1 --dport 22 -j DNAT --to-destination 127.0.0.1:3022

iptables -A FORWARD -p tcp -d 127.0.0.1 --dport 3022 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
```

What is it, that I am missing?

EDIT: 

```
# netstat -lntu

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State      

tcp        0      0 0.0.0.0:3022            0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:222             0.0.0.0:*               LISTEN     

tcp6       0      0 :::222                  :::*                    LISTEN     

udp        0      0 0.0.0.0:5353            0.0.0.0:*                          

udp        0      0 0.0.0.0:7001            0.0.0.0:*                          

udp        0      0 0.0.0.0:68              0.0.0.0:*                          

udp6       0      0 :::5353                 :::* 
```

----------

## Hu

When you use ssh localhost, the interface will be lo.  Your rules cover physical interfaces, but not lo.

----------

## avitase

Oh, you are right. So this behavior seems reasonable, but I still can't connect from another server. When trying to ssh into the VM (by using the IP of the host and default port 22), the connection does not establish,

```
$ ssh host_of_vm

ssh: connect to host ***.***.***.*** port 22: Connection timed out
```

whereas everything works fine when using hosts IP and port 3022.

----------

## avitase

I found the solution. One has to change the dest. 127.0.0.1:3022 to :3022. The reason for that is exactly what you said about the non-physical device lo.

----------

