[Firehol-support] Re: Re: dnat for vnc
stefan.sobernig at wu-wien.ac.at
Thu May 11 10:14:22 BST 2006
Sorry, now in plain text (just switched mail client and forgot to adjust
First, sorry to all of you for my multiple postings. I lost track of my submissions to the list.
Thx for responding.
The problem, however, is that the forwarded packets never reach the
> target, i.e. machine C, as they are blocked due to their source address
> that remains <A>, indicating their origin from an unprotected zone
> (considering the network setup of my organisation).
So, you must also snat the connection
snat to <B>:5900 proto tcp dport 5900 dst <C>
That's exactly what I had in mind and applied accordingly --- so my rule set takes
the following form:
dnat to <C>:5900 proto tcp dport 5900 log "dnat request"
snat to <B> proto tcp dport 5900 dst <C> log "snat request"
router np2p inface eth0 outface eth0
route vnc accept dst <C> log "got vnc request packs"
client all accept log "got vnc response packs"
With these settings, however, I end up with the following behaviour:
May 11 10:38:28 julia kernel: [10398322.783000] dnat request:IN=eth0 OUT= MAC=00:02:b3:97:66:fe:00:15:c7:7e:4c:00:08:00 SRC=<A> DST=<B> LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=1968 DF PROTO=TCP SPT=49212 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
May 11 10:38:28 julia kernel: [10398322.783000] got vnc request packs:IN=eth0 OUT=eth0 SRC=<A> DST=<C> LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1968 DF PROTO=TCP SPT=49212 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
May 11 10:38:28 julia kernel: [10398322.783000] snat request:IN= OUT=eth0 SRC=<A> DST=<C> LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1968 DF PROTO=TCP SPT=49212 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
*May 11 10:38:28 julia kernel: [10398322.783000] got vnc response packs:IN=eth0 OUT=eth0 SRC=<C> DST=<A> LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=1968 DF PROTO=TCP SPT=5900 DPT=49212 WINDOW=65535 RES=0x00 ACK RST URGP=0*
So, I do actually receive a response from <C>, however the reply packets know
<C> as their source while the vnc client at <A> expects <B>. My conclusion was another
snat rule, replacing <C> for <B> in the replies.
snat to <B> proto tcp sport 5900 src <C> log "snat response"
This rule never matches, I don't get any log messages ... So that is where I am stuck.
Any ideas? Can't be that difficult ... What do I miss?
More information about the Firehol-support