[Firehol-support] dnat for vnc

Stefan Sobernig stefan.sobernig at wu-wien.ac.at
Wed May 10 13:01:29 BST 2006

Dear all,

The scenario I want to realise is the following:

Three machines A, B, C, with A hosting a VNC client, B acting as 
forwarding (=firehol) host in an unprotected area
and C hosting the vnc server in a protected zone (= not directly 
accessible for A). Following some hints already
given in these forums or the support list, I merged the following parts 
into firehol.conf at machine B:

dnat to <C>:5900 proto tcp dport 5900 log "forwarding vnc packs"
router np2p inface eth0 outface eth0
        route vnc accept dst <C> log "got vnc packs"

When applying these commands / rules, I end up with proper forwarding 

May  9 20:33:52 julia kernel: [10261226.591000] forwarding vnc 
packs:IN=eth0 OUT= MAC=00:02:b3:97:66:ge:00:15:c7:7e:4c:00:08:00 
SRC=*<A>* DST=<B> LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=34006 DF PROTO=TCP 
SPT=50668 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
May  9 20:33:52 julia kernel: [10261226.591000] got vnc packs:IN=eth0 
OUT=eth0 SRC=*<A>* DST=<C> LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=34006 DF 
PROTO=TCP SPT=50668 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0

The problem, however, is that the forwarded packets never reach the 
target, i.e. machine C, as they are blocked due to their source address 
that remains <A>, indicating their origin from an unprotected zone 
(considering the network setup of my organisation).

Therefore my question: What is the >best< strategy to enable B as full 
intermediary, masquerading the original source and relaying the reply 
packets back to A (masquerade, snat, ...?)

Thx for your expertise!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20060510/72acc96c/attachment-0003.html>

More information about the Firehol-support mailing list