[Firehol-support] Re: Re: dnat for vnc

Stefan Sobernig stefan.sobernig at wu-wien.ac.at
Thu May 11 10:14:22 BST 2006 

Sorry, now in plain text (just switched mail client and forgot to adjust 
accordingly)

===========================================

First, sorry to all of you for my multiple postings. I lost track of my submissions to the list.

@Götz

Thx for responding.

The problem, however, is that the forwarded packets never reach the
> target, i.e. machine C, as they are blocked due to their source address
> that remains <A>, indicating their origin from an unprotected zone
> (considering the network setup of my organisation).

So, you must also snat the connection

snat to <B>:5900 proto tcp dport 5900 dst <C>

That's exactly what I had in mind and applied accordingly --- so my rule set takes
the following form:


dnat to <C>:5900 proto tcp dport 5900 log "dnat request"
snat to <B> proto tcp dport 5900 dst <C> log "snat request"

router np2p inface eth0 outface eth0

        route vnc accept dst <C> log "got vnc request packs"
        client all accept log "got vnc response packs"

=================================

With these settings, however, I end up with the following behaviour:

May 11 10:38:28 julia kernel: [10398322.783000] dnat request:IN=eth0 OUT= MAC=00:02:b3:97:66:fe:00:15:c7:7e:4c:00:08:00 SRC=<A> DST=<B> LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=1968 DF PROTO=TCP SPT=49212 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0

May 11 10:38:28 julia kernel: [10398322.783000] got vnc request packs:IN=eth0 OUT=eth0 SRC=<A> DST=<C> LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1968 DF PROTO=TCP SPT=49212 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0

May 11 10:38:28 julia kernel: [10398322.783000] snat request:IN= OUT=eth0 SRC=<A> DST=<C> LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1968 DF PROTO=TCP SPT=49212 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0

*May 11 10:38:28 julia kernel: [10398322.783000] got vnc response packs:IN=eth0 OUT=eth0 SRC=<C> DST=<A> LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=1968 DF PROTO=TCP SPT=5900 DPT=49212 WINDOW=65535 RES=0x00 ACK RST URGP=0*

==================================

So, I do actually receive a response from <C>, however the reply packets know
<C> as their source while the vnc client at <A> expects <B>. My conclusion was another
snat rule, replacing <C> for <B> in the replies.

snat to <B> proto tcp sport 5900 src <C> log "snat response"

This rule never matches, I don't get any log messages ... So that is where I am stuck.
Any ideas? Can't be that difficult ... What do I miss?

Thx again

//stefan

More information about the Firehol-support mailing list