[Firehol-support] Several dnat VNC services
Richard Williams
richard at everything4it.co.uk
Thu Jun 14 10:34:36 BST 2007
Hi
I’m sorry if this has been raised before.
I’m trying to set up Firehol to route (dnat) external VNC services to
different computers, depending upon the TCP ports being used. I’ve done
this successfully for two inputs on ports 5900 (default) and 7677 but when I
add a third on port 7674 if doesn’t get routed (it’s the one called vnc2
that’s to be routed to 10.0.0.4). Unfortunately there’s nothing in the log
to show what’s going wrong. I know that the receiving computer is able to
accept the VNC service on 7674 as there’s another gateway on the network and
I can route the traffic through that one successfully to 10.0.0.4. However,
I’d prefer to use the Firehol protected gateway for operational reasons.
Here’s my firehol.conf that is based on one of the examples:
#
FIREHOL_LOG_LEVEL=error
# $Id: lan-gateway.conf,v 1.1 2003/10/12 13:43:42 ktsaou Exp $
#
# Configuration file for a LAN router with one ethernet interface (eth0)
# for the LAN and a PPP interface for connecting to the Internet.
#
# The LAN works with private IP addresses.
#
# This script will also setup a transparent cache for all the PCs on the
# local LAN.
#
----------------------------------------------------------------------------
# CUSTOM SERVICES
#
----------------------------------------------------------------------------
# See the section "Adding Services" in the documentation
# Example service x, listening on port TCP/z
# > server_x_ports="tcp/z"
# > client_x_ports="default"
server_vnc1_ports="tcp/7677"
client_vnc1_ports="default"
server_vnc2_ports="tcp/7674"
client_vnc2_ports="default"
#
#
----------------------------------------------------------------------------
# STOP UDP 2222 MESSAGES FLOODING SYSLOG
#
----------------------------------------------------------------------------
-
#
server_office_ports="udp/138"
client_office_ports="any"
#
----------------------------------------------------------------------------
# NETWORK DEFINITIONS - Normally, only these are to be touched by you.
#
----------------------------------------------------------------------------
# You can define anything you like, assuming you are using it later.
# --- HOME ---
# The definition of our HOME LAN.
HOME_MYIP="10.0.0.248" # The IP on our HOME LAN
HOME_MYIF="eth0" # The HOME LAN interface
HOME_BCAST="10.255.255.255" # The HOME LAN broadcast
HOME_LAN="10.0.0.0/8" # The HOME LAN
HOME_SERVICES="all"
# Do we run a DHCP server on the HOME LAN?
HOME_DHCP=1 # Set to 0 to disable
# --- PUBLIC ---
# The definition of our PUBLIC interface.
PUBLIC_MYIP="" # Leave empty for dynamic IP
PUBLIC_MYIF="ppp0" # The public interface
PUBLIC_SERVICES="http ftp mysql"
# Is the PPP interface a DIAL-ON-DEMAND?
DIAL_ON_DEMAND=0 # Set to 0 to disable
# --- TRUSTED ---
# Hosts in the internet I trust for accessing private services
# Empty these to disable.
TRUSTED_IPS=""
TRUSTED_SERVICES=""
# --- TRANSPARENT CACHE ---
# Run a transparent cache?
SQUID_PORT="800" # Leave empty to disable SQUID
SQUID_USERS="" # Users to be excluded from the cache
SQUID_EXCLUDE="" # Web Server IPs to be excluded from the
cache
# --- BLACKLIST ---
# A space-separated list of IPs to be blocked.
blacklist=""
#
----------------------------------------------------------------------------
# HELPERS
#
----------------------------------------------------------------------------
# Block all traffic from/to certain IPs
if [ ! -z "${blacklist}" ]
then
blacklist full "${blacklist}"
fi
# Setup a transparent squid, only if SQUID_PORT is set.
if [ ! -z "${SQUID_PORT}" ]
then
transparent_squid "${SQUID_PORT}" "${SQUID_USERS}" \
inface "${HOME_MYIF}" src "${HOME_LAN}" \
`test ! -z "${SQUID_EXCLUDE}" && echo "dst not
'${SQUID_EXCLUDE}'"`
fi
#
----------------------------------------------------------------------------
# NETWORK ADDRESS TRANSLATION
#
----------------------------------------------------------------------------
# Change the source/destination of packets...
# Should we do SNAT or MASQUERADE?
# If there is a PUBLIC_MYIP defined, we should do SNAT, otherwise MASQ.
#
if [ ! -z "${PUBLIC_MYIP}" ]
then
snat to "${PUBLIC_MYIP}"
\
outface "${PUBLIC_MYIF}"
\
src "${HOME_LAN}" dst not "${UNROUTABLE_IPS}"
else
masquerade "${PUBLIC_MYIF}"
fi
# To have some public service hit an internal machine, do this:
# (the example redirects external port TCP/26 to internal IP 10.0.0.2 port
25)
#
# > dnat to 10.0.0.2:25
\
# > inface "${PUBLIC_MYIF}"
\
# > src not "${HOME_LAN} ${UNROUTABLE_IPS}"
\
# > proto tcp dport 26
#
# For each such statement, the router at the end has to support it.
dnat to 10.0.0.239:5900 inface ppp0 proto tcp dport 5900
dnat to 10.0.0.4:7674 inface ppp0 proto tcp dport 7674
dnat to 10.0.0.238:7677 inface ppp0 proto tcp dport 7677
#
----------------------------------------------------------------------------
# PROTECT SELF
#
----------------------------------------------------------------------------
# Protect the firewall host...
# --- HOME ---
# Protect us from the HOME LAN
interface "${HOME_MYIF}" home src "${HOME_LAN}" dst "${HOME_MYIP}
${HOME_BCAST}"
policy reject
server "${HOME_SERVICES}" accept
client all accept
# DHCP needs 0.0.0.0/255.255.255.255 access.
if [ ${HOME_DHCP} -eq 1 ]
then
interface "${HOME_MYIF}" dhcp
server dhcp accept
server office drop
fi
# --- PUBLIC ---
# Protect us from the PUBLIC
interface "${PUBLIC_MYIF}" internet
\
src not "${UNROUTABLE_IPS}"
\
`test ! -z "${PUBLIC_MYIP}" && echo "dst '${PUBLIC_MYIP}'"`
protection strong
policy drop
# Are there any trusted PCs/services?
if [ ! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ]
then
server "${TRUSTED_SERVICES}" accept src
"${TRUSTED_PCS}"
fi
server "${PUBLIC_SERVICES}" accept
server custom rvw tcp/7676 default accept
client all accept
# DIAL-ON-DEMAND needs this in case there is a PUBLIC_MYIP defined.
if [ ${DIAL_ON_DEMAND} -eq 1 ]
then
interface "${PUBLIC_MYIF}" dialup
client all accept
fi
#
----------------------------------------------------------------------------
# PROTECT ROUTING
#
----------------------------------------------------------------------------
# Protect the LAN...
# Route traffic for the clients on the LAN
router internet2lan inface "${PUBLIC_MYIF}" outface "${HOME_MYIF}" \
src not "${UNROUTABLE_IPS}" dst "${HOME_LAN}"
# route all client traffic
client all accept
server vnc accept dst 10.0.0.239
server vnc1 accept dst 10.0.0.238
server vnc2 accept dst 10.0.0.4
# For the dnat example above, this is needed:
# > server smtp accept dst 10.0.0.2
#
----------------------------------------------------------------------------
# SET LOG OPTIONS
#
----------------------------------------------------------------------------
FIREHOL_LOG_FREQUENCY="1/minute"
FIREHOL_LOG_BURST="5"
Regards
Richard Williams
****************************************************
Richard Williams
email: HYPERLINK
"mailto:richard at everything4it.co.uk"richard at everything4it.co.uk
mobile: 07981 734697
****************************************************
The contents of this email message and any attachments are confidential and
are intended solely for addressee. The information may also be legally
privileged. This transmission is sent in trust, for the sole purpose of
delivery to the intended recipient. If you have received this transmission
in error, any use, reproduction or dissemination of this transmission is
strictly prohibited. If you are not the intended recipient, please
immediately notify the sender by reply email or at +44(0)7981 734697 and
delete this message and its attachments, if any.
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Database: 269.8.15/847 - Release Date: 12/06/2007
21:42
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20070614/7c26705b/attachment-0002.html>
More information about the Firehol-support
mailing list