<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Dear all,<br>
<br>
The scenario I want to realise is the following:<br>
<br>
Three machines A, B, C, with A hosting a VNC client, B acting as
forwarding (=firehol) host in an unprotected area<br>
and C hosting the vnc server in a protected zone (= not directly
accessible for A). Following some hints already<br>
given in these forums or the support list, I merged the following parts
into firehol.conf at machine B:<br>
<br>
dnat to <C>:5900 proto tcp dport 5900 log "forwarding vnc packs"<br>
router np2p inface eth0 outface eth0<br>
route vnc accept dst <C> log "got vnc packs"<br>
<br>
When applying these commands / rules, I end up with proper forwarding
behaviour:<br>
<br>
May 9 20:33:52 julia kernel: [10261226.591000] forwarding vnc
packs:IN=eth0 OUT= MAC=00:02:b3:97:66:ge:00:15:c7:7e:4c:00:08:00 SRC=<b><A></b>
DST=<B> LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=34006 DF PROTO=TCP
SPT=50668 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0<br>
May 9 20:33:52 julia kernel: [10261226.591000] got vnc packs:IN=eth0
OUT=eth0 SRC=<b><A></b> DST=<C> LEN=60 TOS=0x00 PREC=0x00
TTL=61 ID=34006 DF PROTO=TCP SPT=50668 DPT=5900 WINDOW=65535 RES=0x00
SYN URGP=0<br>
<br>
The problem, however, is that the forwarded packets never reach the
target, i.e. machine C, as they are blocked due to their source address
that remains <A>, indicating their origin from an unprotected
zone (considering the network setup of my organisation). <br>
<br>
Therefore my question: What is the >best< strategy to enable B as
full intermediary, masquerading the original source and relaying the
reply packets back to A (masquerade, snat, ...?)<br>
<br>
Thx for your expertise!<br>
<br>
//stefan<br>
<br>
<div class="moz-signature">
<pre wrap=""><small><span
style="color: rgb(102, 102, 102); font-family: Verdana;"></span></small></pre>
</div>
</body>
</html>