[Firehol-support] dnat for vnc
Stefan Sobernig
stefan.sobernig at wu-wien.ac.at
Wed May 10 14:01:29 CEST 2006
Dear all,
The scenario I want to realise is the following:
Three machines A, B, C, with A hosting a VNC client, B acting as
forwarding (=firehol) host in an unprotected area
and C hosting the vnc server in a protected zone (= not directly
accessible for A). Following some hints already
given in these forums or the support list, I merged the following parts
into firehol.conf at machine B:
dnat to <C>:5900 proto tcp dport 5900 log "forwarding vnc packs"
router np2p inface eth0 outface eth0
route vnc accept dst <C> log "got vnc packs"
When applying these commands / rules, I end up with proper forwarding
behaviour:
May 9 20:33:52 julia kernel: [10261226.591000] forwarding vnc
packs:IN=eth0 OUT= MAC=00:02:b3:97:66:ge:00:15:c7:7e:4c:00:08:00
SRC=*<A>* DST=<B> LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=34006 DF PROTO=TCP
SPT=50668 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
May 9 20:33:52 julia kernel: [10261226.591000] got vnc packs:IN=eth0
OUT=eth0 SRC=*<A>* DST=<C> LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=34006 DF
PROTO=TCP SPT=50668 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
The problem, however, is that the forwarded packets never reach the
target, i.e. machine C, as they are blocked due to their source address
that remains <A>, indicating their origin from an unprotected zone
(considering the network setup of my organisation).
Therefore my question: What is the >best< strategy to enable B as full
intermediary, masquerading the original source and relaying the reply
packets back to A (masquerade, snat, ...?)
Thx for your expertise!
//stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20060510/72acc96c/attachment-0001.html>
More information about the Firehol-support
mailing list