Hi, I''ve 2 interfaces setup: gateway(x.y.z.233) <-> (x.y.z.234)[eth3] ROUTER [eth4](192.168.3.1) <-> LAN I''ve NAT running on router and also some Routed IP address mapping to few internal machine, eg.: x.y.z.236 <--->192.168.3.236 x.y.z.237<---->192.168.3.237 Our client allows us to connect to his machine throught Internet via VNC, but only from our ROUTER external IP x.y.z.234. But i want to have access to from anywhere from Internet. So i think i need to connect with VNC to my server, which should redirect this connection to my client machine. But i couldn''t find hint in shorewall documentation :( Can you please help me with link, document, etc? Best Regards -- --- Krzysztof Lew noe(at)mikron.pl ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Thu, Jan 31, 2008 at 10:22:21PM +0100, Krzysztof Lew wrote:> Hi, > > I''ve 2 interfaces setup: > > gateway(x.y.z.233) <-> (x.y.z.234)[eth3] ROUTER [eth4](192.168.3.1) <-> LAN > > I''ve NAT running on router and also some Routed IP address mapping to few > internal machine, eg.: > x.y.z.236 <--->192.168.3.236 > x.y.z.237<---->192.168.3.237 > > Our client allows us to connect to his machine throught Internet via VNC, but > only from our ROUTER external IP x.y.z.234. > > But i want to have access to from anywhere from Internet. > So i think i need to connect with VNC to my server, which should redirect this > connection to my client machine. > But i couldn''t find hint in shorewall documentation :( > Can you please help me with link, document, etc? >What you want to accomplish is completely orthogonal to Shorewall. Use ssh with port forwarding, or consider using some sort of tcp proxy program. In Debian, here are some examples when searching for tcp proxy: 6tunnel - TCP proxy for non-IPv6 applications connect-proxy - Establish TCP connection using SOCKS4/5 and HTTP tunnel corkscrew - tunnel TCP connections through HTTP proxies iprelay - User-space bandwidth shaping TCP proxy daemon ptunnel - Tunnel TCP connections over ICMP packets redir - Redirect TCP connections simpleproxy - Simple TCP proxy stone - TCP/IP packet repeater in the application layer. tsocks - transparent network access through a SOCKS 4 or 5 proxy tor - anonymizing overlay network for TCP Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Roberto C. Sánchez wrote:> On Thu, Jan 31, 2008 at 10:22:21PM +0100, Krzysztof Lew wrote: >> Hi, >> >> I''ve 2 interfaces setup: >> >> gateway(x.y.z.233) <-> (x.y.z.234)[eth3] ROUTER [eth4](192.168.3.1) <-> LAN >> >> I''ve NAT running on router and also some Routed IP address mapping to few >> internal machine, eg.: >> x.y.z.236 <--->192.168.3.236 >> x.y.z.237<---->192.168.3.237 >> >> Our client allows us to connect to his machine throught Internet via VNC, but >> only from our ROUTER external IP x.y.z.234. >> >> But i want to have access to from anywhere from Internet.Kryzysztof: You realize that giving yourself that access goes against the expressed wishes of your client, do you not?>> So i think i need to connect with VNC to my server, which should redirect this >> connection to my client machine. >> But i couldn''t find hint in shorewall documentation :( >> Can you please help me with link, document, etc? >> > What you want to accomplish is completely orthogonal to Shorewall.Although what Krzysztof asks _could_ be accomplished with Shorewall, the Shorewall-based solution would be open to all internet users. So Krzysztof would be subverting his own client''s security measures; that''s not the way to keep happy clients. The solution that Krzysztof implements (if he implements any at all) should require strong authentication of the VNC client user by the proxy. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Roberto C. Sánchez wrote: > >> On Thu, Jan 31, 2008 at 10:22:21PM +0100, Krzysztof Lew wrote: >> >>> Hi, >>> >>> I''ve 2 interfaces setup: >>> >>> gateway(x.y.z.233) <-> (x.y.z.234)[eth3] ROUTER [eth4](192.168.3.1) <-> LAN >>> >>> I''ve NAT running on router and also some Routed IP address mapping to few >>> internal machine, eg.: >>> x.y.z.236 <--->192.168.3.236 >>> x.y.z.237<---->192.168.3.237 >>> >>> Our client allows us to connect to his machine throught Internet via VNC, but >>> only from our ROUTER external IP x.y.z.234. >>> >>> But i want to have access to from anywhere from Internet. >>> > > Kryzysztof: You realize that giving yourself that access goes against the > expressed wishes of your client, do you not? > >This was actually quite surprising, any consultant of ours that attempted this would very quickly find themselves deep in the poo. Our legal department would be on his case within an hour of the discovery, and needless to say he would never be allowed to access our systems again.>>> So i think i need to connect with VNC to my server, which should redirect this >>> connection to my client machine. >>> But i couldn''t find hint in shorewall documentation :( >>> Can you please help me with link, document, etc? >>> >>> >> What you want to accomplish is completely orthogonal to Shorewall. >> > > Although what Krzysztof asks _could_ be accomplished with Shorewall, the > Shorewall-based solution would be open to all internet users. So Krzysztof > would be subverting his own client''s security measures; that''s not the way > to keep happy clients. > > The solution that Krzysztof implements (if he implements any at all) should > require strong authentication of the VNC client user by the proxy. >The only working solution that would provide what he needs, _and_ not violate his customers requirements would be for him to connect to a PC within his own network, and then start a new connection from there to his clients machine. Anything else could place his client in breech of any number of compliance codes, and could compel him to get SAS-70 audit is SOX is involved. T ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi, I''ve 2 interfaces setup: gateway(x.y.z.233) <-> (x.y.z.234)[eth3] ROUTER [eth4](192.168.3.1) <-> LAN I''ve NAT running on router and also some Routed IP address mapping to few internal machine, eg.: x.y.z.236 <--->192.168.3.236 x.y.z.237<---->192.168.3.237 Our client allows us to connect to his machine throught Internet via VNC, but only from our ROUTER external IP x.y.z.234. But i want to have access to from anywhere from Internet. So i think i need to connect with VNC to my server, which should redirect this connection to my client machine. But i couldn''t find hint in shorewall documentation :( Can you please help me with link, document, etc? Best Regards -- --- Krzysztof Lew noe(at)mikron.pl ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Friday 01 of February 2008 01:09:45 Tom Eastep napisał(a):> Roberto C. Sánchez wrote: > > On Thu, Jan 31, 2008 at 10:22:21PM +0100, Krzysztof Lew wrote: > >> Hi, > >> > >> I''ve 2 interfaces setup: > >> > >> gateway(x.y.z.233) <-> (x.y.z.234)[eth3] ROUTER [eth4](192.168.3.1) <-> > >> LAN > >> > >> I''ve NAT running on router and also some Routed IP address mapping to > >> few internal machine, eg.: > >> x.y.z.236 <--->192.168.3.236 > >> x.y.z.237<---->192.168.3.237 > >> > >> Our client allows us to connect to his machine throught Internet via > >> VNC, but only from our ROUTER external IP x.y.z.234. > >> > >> But i want to have access to from anywhere from Internet. > > Kryzysztof: You realize that giving yourself that access goes against the > expressed wishes of your client, do you not? > > >> So i think i need to connect with VNC to my server, which should > >> redirect this connection to my client machine. > >> But i couldn''t find hint in shorewall documentation :( > >> Can you please help me with link, document, etc? > > > > What you want to accomplish is completely orthogonal to Shorewall. > > Although what Krzysztof asks _could_ be accomplished with Shorewall, the > Shorewall-based solution would be open to all internet users. So Krzysztof > would be subverting his own client''s security measures; that''s not the way > to keep happy clients. > > The solution that Krzysztof implements (if he implements any at all) should > require strong authentication of the VNC client user by the proxy. > > -TomThank you for yout consideration, I`m not going to violate my client security rules. But now i just found the way how to do this. I`ve open-vpn working on my router, so for specified roadwarrior i''ll setup that all outgoing traffic will be routed throught my router (open vpn option). - that is my choice. Mean while i just find out other solution: connecting with ssh to router and setting up tunnel to it:somePort, and then this port would be redirected with one of solution mentioned by Roberto C. Sánchez. Any way thanks for your support, BR -- --- Krzysztof Lew noe(at)mikron.pl ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/