Shorewall users - Aug 2002 - ssh port forwarding on firewall how?

On Thursday 22 August 2002 02:58 pm, Joe Doran wrote:
> Hi,
>
> Anyone know how to put up a rule to allow ssh port forwarding from ssh
> daemon on the firewall to local network?
>
> I use VNC to attach to hosts inside the local network. The destination
> port used for VNC is always 5900.
>
> So connection would look like:-
>
> net->fw (ssh) / loc(192.168.0.1) -- > host(192.168.0.2:5900)
>
> I have a rule in my setup for:-
>
> ACCEPT          loc       loc           tcp     5900
If sshd is running on the firewall then that rule needs to be:

ACCEPT=09fw=09loc=09tcp=095900

-Tom
--=20
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Hi,

Anyone know how to put up a rule to allow ssh port forwarding from ssh 
daemon on the firewall to local network?

I use VNC to attach to hosts inside the local network. The destination 
port used for VNC is always 5900.

So connection would look like:-

net->fw (ssh) / loc(192.168.0.1) -- > host(192.168.0.2:5900)

I have a rule in my setup for:-

ACCEPT          loc       loc           tcp     5900

My interfaces file has an entry for loc of:-
loc     eth0            detect          routestopped



But on activating the firewall /var/log running up ssh forwarding and 
connecting the logs show a message :-
 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 
DST=192.168.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55679 PROTO=TCP 
SPT=1137 DPT=5900 WINDOW=5840 RES=0x00 SYN URGP=0

The rule above I would have thought would allow this, however I note 
that the direction on the rule log only has an interface for OUT and not 
one for IN. Is this my problem, as loc is allocated to eth0, and 
therefore can not handle an empty interface rule?

Thanks in advance.

Joe Doran.