I have Shorewall 1.3.6 installed as a firewall behind a DSL router=20 with five static IP addresses available. I need to (temporarily)=20 allow a remote user to access a WindowsXP machine remote=20 administration in the local network at IP address 10.1.1.7 to do some=20 software maintenance. I was told that they needed port 3389 access to the inside machine for=20 this purpose. The default eth0 (internet) IP address on the firewall is=20 67.40.110.33. In attempt to enable the needed access, I added 67.40.110.34 as a=20 second IP address on eth0 and added the rule=20 DNAT net:67.40.110.34 loc:10.1.1.7 tcp 3389 to my rules file.=20 IPtraf shows that the connection is still being blocked. Any help on what I need to do to make the needed access available will=20 be greatly appreciated. --Richard --=20 Richard B. Pyne Software Engineer ShopSite, Inc.
On Friday 04 October 2002 11:39 am, Richard Pyne wrote:> In attempt to enable the needed access, I added 67.40.110.34 as a > second IP address on eth0 and added the rule > DNAT net:67.40.110.34 loc:10.1.1.7 tcp 3389 > to my rules file.The line should read: DNAT net loc:10.1.1.7 tcp 3389 - 67.40.110.34
Richard Pyne wrote:> I have Shorewall 1.3.6 installed as a firewall behind a DSL router > with five static IP addresses available. I need to (temporarily) > allow a remote user to access a WindowsXP machine remote > administration in the local network at IP address 10.1.1.7 to do some > software maintenance. > > I was told that they needed port 3389 access to the inside machine for > this purpose. > > The default eth0 (internet) IP address on the firewall is > 67.40.110.33. > > In attempt to enable the needed access, I added 67.40.110.34 as a > second IP address on eth0 and added the rule > DNAT net:67.40.110.34 loc:10.1.1.7 tcp 3389 > to my rules file. >Your rule only allows connections _from_ 67.40.110.34 (which is difficult since that IP address is in the $FW zone, not the net zone) -- if you want to restrict the rule to only the single remote user to connect, replace that address with his/hers. Otherwise, simply use DNAT net loc:10.1.1.7 tcp 3389 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Scott Merrill wrote:> On Friday 04 October 2002 11:39 am, Richard Pyne wrote: > >>In attempt to enable the needed access, I added 67.40.110.34 as a >>second IP address on eth0 and added the rule >>DNAT net:67.40.110.34 loc:10.1.1.7 tcp 3389 >>to my rules file. > > > The line should read: > DNAT net loc:10.1.1.7 tcp 3389 - 67.40.110.34Scott is correct -- I didn''t read Richard''s original post carefully enough. My other suggestion still stands though that you could: DNAT net:<other persons ip> loc:10.1.1.7 tcp 3389 - 67.40.110.34 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net