[Firehol-support] Several dnat VNC services

Costa Tsaousis costa at tsaousis.gr
Thu Jun 14 20:33:09 BST 2007

Richard Williams wrote:
> I’m trying to set up Firehol to route (dnat) external VNC services to
> different computers, depending upon the TCP ports being used.  I’ve
> done this successfully for two inputs on ports 5900 (default) and 7677
> but when I add a third on port 7674 if doesn’t get routed (it’s the
> one called vnc2 that’s to be routed to  Unfortunately
> there’s nothing in the log to show what’s going wrong.  I know that
> the receiving computer is able to accept the VNC service on 7674 as
> there’s another gateway on the network and I can route the traffic
> through that one successfully to  However, I’d prefer to use
> the Firehol protected gateway for operational reasons.
> Here’s my firehol.conf that is based on one of the examples:


Since your requests are going into the LAN from your public interface
and since firehol does not log any dropped packets, I guess is
using as a default gateway the other gateway, you have on the LAN, to
send the VNC replies back to the client, which of course are dropped
(especially in the other gateway is stateful too).

You can overcome this situation by doing an additional snat like this:

snat to outface eth0 src not "${UNROUTABLE_IPS}" dst

This will make believe that is the VNC client (be
careful with the VNC server security, because you cannot match the real
source there - if you need to match the static IP of your home or other
place, change the snat/dnat statements to match only the sources you
need to allow).

Another way would be to change the default gateway on so that
the replies will go out the same way they come in.


More information about the Firehol-support mailing list