I am not sure how to accomplish the following example: Local 10.1.10.0/24 <port 14143> to a specific server on the Internet <port 24243> I have seen this called a tcp proxy bridge? I have it running on a NT based proxy but wish to move away from NT. I am running a two-interface firewall with a squid manual proxy for http. All works well except for this requirement. Setup is as follows. Mandrake 9.2 Shorewall 2.0.14 Loc eth0 Net eth1 1 public ip address. Any help would be appreciated. Thanks Bob
Robert Berquist wrote:> I am not sure how to accomplish the following example: > Local 10.1.10.0/24 <port 14143> to a specific server on the Internet <port > 24243> > I have seen this called a tcp proxy bridge? I have it running on a NT based > proxy but wish to move away from NT.I''m afraid that I''m lost as to what problem you are trying to solve. Does anyone else on the list recognize what Robert is asking? A search on my XP system for "tcp proxy bridge" came up empty. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Robert Berquist wrote: > >>I am not sure how to accomplish the following example: >>Local 10.1.10.0/24 <port 14143> to a specific server on the Internet <port >>24243> >>I have seen this called a tcp proxy bridge? I have it running on a NT based >>proxy but wish to move away from NT. > > > I''m afraid that I''m lost as to what problem you are trying to solve. > > Does anyone else on the list recognize what Robert is asking? A search > on my XP system for "tcp proxy bridge" came up empty. >I''ve read Robert''s question several more times and I''ll offer a wild-assed guess: Systems in the ''loc'' zone attempt a TCP connection to *some ip address*:14143 -- these connections are redirected by the firewall to <server ip>:24243 where <server ip> is the IP address of a system somewhere in the ''net'' zone. If that is what you want to do, then in /etc/shoreall/rules: DNAT loc net:<server ip>:24243 tcp 14143 - <*some ip address*> You''ll have to fill in the appropriate *some ip address*. -Tom If you have an ACCEPT loc->net policy then you can use DNAT- rather than DNAT. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hopefully I can clear things up a little. I have a vendor provided application that is firewall aware. It needs to connect to the vendor server via the net on port 24243. I have set the package to point to the local firewall interface on port 14143. I need to proxy this out to the vendor server on port 24243 via the firewall net interface. On NT I was using an Avirt proxy/Firewall that allowed this to be set up using point and click but hid the actual rules. This would be similar to having pc anywhere on my local network imitating contact to a server on the Internet thru the firewall. I hope this helps explain the problem. Bob
Thanks Tom... Problem solved. A modification of your suggestion did the job. DNAT loc net:<server ip>:24243 tcp 14143 I was making it much to complicated. Bob
> Hopefully I can clear things up a little. > I have a vendor provided application that is firewall aware. It needs to > connect to the vendor server via the net on port 24243. > I have set the package to point to the local firewall interface on port > 14143. I need to proxy this out to the vendor server on port 24243 via the > firewall net interface. > > On NT I was using an Avirt proxy/Firewall that allowed this to be set up > using point and click but hid the actual rules. > This would be similar to having pc anywhere on my local network imitating > contact to a server on the Internet thru the firewall.If you want to do it in a similar way, you can do it with balance http://www.inlab.de/balance.html I''m using in different places with success. I have also created my own rpms, available here http://www.invoca.ch/pub/packages/balance/ What you want can most likely be done in several different ways, a tcp proxy is just one way. Simon> > I hope this helps explain the problem. > > Bob > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >