thr3ads.net - Shorewall users - Problems with DNAT [Apr 2005]

If this information is useful, please help other people find it:
Share via:

Marcelo Leão Caffaro

2005-Apr-27 13:29 UTC

Problems with DNAT

Hi, i''m a shorewall users and i have the following problem:

I have one class C range of IP''s and i have three zones (net, dmz ,
loc)

I need create one rule to dnat one valid ip address (but not in use in 
one computer) to one invalid host in my loc zone.

How i do?

I try this:

DNAT            net:200.200.200.200  dmz:200.193.137.38  tcp     
137,138,139,445       -             200.200.200.200
DNAT            dmz:200.200.200.200  loc:192.168.0.4     tcp     
137,138,139,445       -                200.200.200.200
DNAT            net:200.200.200.200  dmz:200.200.200.200  udp     
137,138,139,445       -          200.200.200.200
DNAT            dmz:200.200.200.200  loc:192.168.0.4     udp     
137,138,139,445       -               200.200.200.200

I need access in one external computer one shared folder located in 
192.168.0.4 computer in my loc zone.
\\200.200.200.200 ===> 192.168.0.4 (shared folder)

How i do?

tks

Tom Eastep

2005-Apr-27 13:56 UTC

head link

Re: Problems with DNAT

Marcelo Leão Caffaro wrote:> Hi, i''m a shorewall users and i have the following problem:
> 
> I have one class C range of IP''s and i have three zones (net, dmz
, loc)
> 
> I need create one rule to dnat one valid ip address (but not in use in
> one computer) to one invalid host in my loc zone.
> 
> How i do?
> 
I personally would use a VPN since I would never want my share data
passing unencrypted outside of my firewall.

As a consequence, I have never tried what you are asking and what
follows is strictly a guess.

IP1 = the IP address of the host outside your firewall that needs access
to the share.
IP2 = the IP address on your firewall that you want that host to connect
to. Note that the connection MUST BE BY IP ADDRESS.

I would start with these rules:

DNAT	net:IP1	loc:192.168.0.4	udp	135,445		-	IP2
DNAT	net:IP1 loc:192.168.0.4 udp	137:139		-	IP2
DNAT	net:IP1	loc:192.168.0.4	tcp	135,139,445	-	IP2

Also, note the instructions at the bottom of
http://shorewall.net/samba.htm for enabling logging of dropped/rejected
SMB traffic -- those instructions are essential when you are debugging
these sorts of problems.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Possibly Parallel Threads

Search for more apparently analagous threads

Shorewall users - Apr 2005 - Problems with DNAT

Problems with DNAT

Re: Problems with DNAT

Possibly Parallel Threads