[Firehol-support] dnat for vnc

Stefan Sobernig stefan.sobernig at wu-wien.ac.at
Wed May 10 14:17:25 BST 2006


Dear all,

The scenario I want to realise is the following:

Three machines A, B, C, with A hosting a VNC client, B acting as
forwarding (=firehol) host in an unprotected area
and C hosting the vnc server in a protected zone (= not directly
accessible for A). Following some hints already
given in these forums or the support list, I merged the following parts
into firehol.conf at machine B:

dnat to <C>:5900 proto tcp dport 5900 log "forwarding vnc packs"
router np2p inface eth0 outface eth0
        route vnc accept dst <C> log "got vnc packs"

When applying these commands / rules, I end up with proper forwarding
behaviour:

May  9 20:33:52 julia kernel: [10261226.591000] forwarding vnc
packs:IN=eth0 OUT= MAC=00:02:b3:97:66:ge:00:15:c7:7e:4c:00:08:00
SRC=*<A>* DST=<B> LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=34006 DF PROTO=TCP
SPT=50668 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
May  9 20:33:52 julia kernel: [10261226.591000] got vnc packs:IN=eth0
OUT=eth0 SRC=*<A>* DST=<C> LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=34006 DF
PROTO=TCP SPT=50668 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0

The problem, however, is that the forwarded packets never reach the
target, i.e. machine C, as they are blocked due to their source address
that remains <A>, indicating their origin from an unprotected zone
(considering the network setup of my organisation).

Therefore my question: What is the >best< strategy to enable B as full
intermediary, masquerading the original source and relaying the reply
packets back to A (masquerade, snat, ...?)

Thx for your expertise!

//stefan

 <mailto:ss at thinkersfoot.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20060510/6b9b75c1/attachment-0003.html>


More information about the Firehol-support mailing list