Shorewall users - Aug 2003 - Problem with DNAT for locally originating connections

Hi,

I''m having a problem with adding a rule for forwarding connections on
the
firewall itself (coming through an ssh tunnel really) to a machine on the 
internal network. This is the rule I want:

DNAT    $FW                     loc:192.168.0.10        tcp     5900:5909

... but iptables reports an invalid argument.

DNAT    net                     loc:192.168.0.10        tcp     5900:5909

...works fine, but is not what I need.

The final part of the debug output looks like this:
+ run_iptables2 -t nat -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 5900:5909 -j DNAT 
--to-destination 192.168.0.10
+ ''['' ''x-t nat -A OUTPUT -p tcp -d 0.0.0.0/0 --dport
5900:5909 -j DNAT
--to-destination 192.168.0.10'' = ''x-t nat -A OUTPUT -p tcp -d
0.0.0.0/0
--dport 5900:5909 -j DNAT --to-destination 192.168.0.10''
'']''
+ run_iptables -t nat -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 5900:5909 -j DNAT 
--to-destination 192.168.0.10
+ iptables -t nat -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 5900:5909 -j DNAT 
--to-destination 192.168.0.10
iptables: Invalid argument


I did some searching, but can''t find any info on how to solve this
problem. In
my kernel config I have enabled "Nat of local connections" which I
assume
relate to this.

-- 
Grateful for any help,
  Sebastian Strand

Sebastian Strand wrote:
> 
> Hi,
> 
> I''m having a problem with adding a rule for forwarding connections
on the
> firewall itself (coming through an ssh tunnel really) to a machine on the
> internal network. This is the rule I want:
> 
> DNAT    $FW                     loc:192.168.0.10        tcp     5900:5909
> 
> ... but iptables reports an invalid argument.
> 
> DNAT    net                     loc:192.168.0.10        tcp     5900:5909
> 
> ...works fine, but is not what I need.
Hi Sebastian,

Are you, by any chance, trying to use VNC through an ssh tunnel? It
would be easier to state what you are actually trying to do, otherwise
the help which you are requesting will be just guess work on the list
members side. One of these being, from which source, type of machine
will be initiating the connection, Windows or Linux, and so forth, to
your internal machine.

*If* you''re trying to use VNC through ssh you would just need:

DNAT    net:<your net ip>         loc:192.168.0.10        tcp    22

which establishes the tunnel to your internal server. Then you could
start the ssh connection with (just an example):

ssh -L 5902:localhost:5901 <internal server''s net ip>

if your vncserver is listening on port 5901, that is, which will bring
you directly to the internal server itself, without any intermediary
machines in-between. This is useful if you''re only going to use VNC on
that particular machine, ip address. Then "vncviewer localhost:1"
should
do it.

That''s only guess work, since the 590x port range is usually reserved
for VNC connections.   :)


Regards, 
-- 
Patrick Benson
Stockholm, Sweden

Patrick Benson wrote:
> that particular machine, ip address. Then "vncviewer localhost:1"
That should be "vncviewer localhost:2" - Sorry for the confusion!

 
-- 
Patrick Benson
Stockholm, Sweden

On Mon, 2003-08-18 at 03:21, Sebastian Strand wrote:
> 
> The final part of the debug output looks like this:
> + run_iptables2 -t nat -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 5900:5909 -j
DNAT
> --to-destination 192.168.0.10
> + ''['' ''x-t nat -A OUTPUT -p tcp -d 0.0.0.0/0
--dport 5900:5909 -j DNAT
> --to-destination 192.168.0.10'' = ''x-t nat -A OUTPUT -p
tcp -d 0.0.0.0/0
> --dport 5900:5909 -j DNAT --to-destination 192.168.0.10''
'']''
> + run_iptables -t nat -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 5900:5909 -j
DNAT
> --to-destination 192.168.0.10
> + iptables -t nat -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 5900:5909 -j DNAT 
> --to-destination 192.168.0.10
> iptables: Invalid argument
> 
The above command is valid and if you have "Nat of local connections"
enabled it should work. I''ve tried it on both RedHat''s
2.4.20-19.9
kernel and on a 2.4.21 kernel that I built locally.

What kernel version and iptables version are you running?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> > 
> > + iptables -t nat -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 5900:5909 -j
DNAT
> > --to-destination 192.168.0.10
> > iptables: Invalid argument
>
> The above command is valid and if you have "Nat of local
connections"
> enabled it should work. I''ve tried it on both RedHat''s
2.4.20-19.9
> kernel and on a 2.4.21 kernel that I built locally.
Kernel 2.4.21, iptables 1.2.8 and Shorewall 1.4.6b. I''m beginning to
suspect I
messed up when building the kernel - I had to redo it a couple of times to 
get everything in, maybe I checked that option after the last rebuild...
I''ll
try building it one more time.

-- 
Sebastian Strand

On Monday 18 August 2003 14:18, Patrick Benson wrote:
> *If* you''re trying to use VNC through ssh you would just need:
>
> DNAT    net:<your net ip>         loc:192.168.0.10        tcp    22
>
> which establishes the tunnel to your internal server. Then you could
> start the ssh connection with (just an example):
>
> ssh -L 5902:localhost:5901 <internal server''s net ip>
>
> if your vncserver is listening on port 5901, that is, which will bring
> you directly to the internal server itself, without any intermediary
> machines in-between. This is useful if you''re only going to use
VNC on
> that particular machine, ip address. Then "vncviewer localhost:1"
should
> do it.
>
> That''s only guess work, since the 590x port range is usually
reserved
> for VNC connections.   :)
Not a bad guess at all, since that is what I''m trying to do. I want to
access
my KDE desktop remotely from various Windows or Linux machines at the 
university. However, your solution prevents me from directly accessing the 
firewall machine through ssh, which I need to do. Besides, the fact that my 
rule doesn''t work even though it should annoys me :)

-- 
Sebastian Strand

Sebastian Strand wrote:
> Not a bad guess at all, since that is what I''m trying to do. I
want to access
> my KDE desktop remotely from various Windows or Linux machines at the
> university. However, your solution prevents me from directly accessing the
> firewall machine through ssh, which I need to do. Besides, the fact that my
> rule doesn''t work even though it should annoys me :)
Which sounds quite frustrating, sorry to say. ;-) Any special reason why
you need ssh access to the firewall directly from the net? Why not try
and portforward to the internal machine you''re trying to setup with VNC
and ssh to the firewall from there?


-- 
Patrick Benson
Stockholm, Sweden