[Firehol-support] Several dnat VNC services

Costa Tsaousis costa at tsaousis.gr
Thu Jun 14 21:33:09 CEST 2007


Richard Williams wrote:
>
> I’m trying to set up Firehol to route (dnat) external VNC services to
> different computers, depending upon the TCP ports being used.  I’ve
> done this successfully for two inputs on ports 5900 (default) and 7677
> but when I add a third on port 7674 if doesn’t get routed (it’s the
> one called vnc2 that’s to be routed to 10.0.0.4).  Unfortunately
> there’s nothing in the log to show what’s going wrong.  I know that
> the receiving computer is able to accept the VNC service on 7674 as
> there’s another gateway on the network and I can route the traffic
> through that one successfully to 10.0.0.4.  However, I’d prefer to use
> the Firehol protected gateway for operational reasons.
>
>  
>
> Here’s my firehol.conf that is based on one of the examples:
>
>  
>

Richard,

Since your requests are going into the LAN from your public interface
and since firehol does not log any dropped packets, I guess 10.0.0.4 is
using as a default gateway the other gateway, you have on the LAN, to
send the VNC replies back to the client, which of course are dropped
(especially in the other gateway is stateful too).

You can overcome this situation by doing an additional snat like this:

snat to 10.0.0.248 outface eth0 src not "${UNROUTABLE_IPS}" dst 10.0.0.4

This will make 10.0.0.4 believe that 10.0.0.248 is the VNC client (be
careful with the VNC server security, because you cannot match the real
source there - if you need to match the static IP of your home or other
place, change the snat/dnat statements to match only the sources you
need to allow).

Another way would be to change the default gateway on 10.0.0.4 so that
the replies will go out the same way they come in.

Costa





More information about the Firehol-support mailing list