Hi, I''d like to configure Shorewall to accept my incoming connection (from the Internet) on tcp port 3389, replace my source IP address with the firewall''s IP (external address), then forward it to another server on port 3389. Basically, a proxy function for TCP 3389. So, I need Shorewall to masquerade the connection, then forward the connection out the same physical interface. Can anyone suggest a solution? thanks! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On 5/2/07, blue caddy <nomorecaddy@yahoo.com> wrote:> Hi, > > I''d like to configure Shorewall to accept my incoming connection (from the Internet) on tcp port 3389, replace my source IP address with the firewall''s IP (external address), then forward it to another server on port 3389. Basically, a proxy function for TCP 3389. > > So, I need Shorewall to masquerade the connection, then forward the connection out the same physical interface. > > Can anyone suggest a solution? > > thanks!This sounds like FAQ #1: http://shorewall.net/FAQ.htm#faq1 ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
blue caddy wrote:> Hi, > > I''d like to configure Shorewall to accept my incoming connection (from the Internet) on tcp port 3389, replace my source IP address with the firewall''s IP (external address), then forward it to another server on port 3389. Basically, a proxy function for TCP 3389. > > So, I need Shorewall to masquerade the connection, then forward the connection out the same physical interface. > > Can anyone suggest a solution? >Sure. Use a DNAT rule and an entry in /etc/shorewall/masq. Remember though that DNAT occurs *before* SNAT; DNAT occurs when the packet is first received while SNAT occurs just before the packet is sent. Shorewall FAQ 2 shows an example. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Thanks Tom, I got it up and running now. Is adding the routeback option to my ''net'' interface a vulnerability? Blue ----- Original Message ---- From: Tom Eastep <teastep@shorewall.net> To: Shorewall Users <shorewall-users@lists.sourceforge.net> Sent: Wednesday, May 2, 2007 8:32:48 AM Subject: Re: [Shorewall-users] SNAT then DNAT blue caddy wrote:> Hi, > > I''d like to configure Shorewall to accept my incoming connection (from the Internet) on tcp port 3389, replace my source IP address with the firewall''s IP (external address), then forward it to another server on port 3389. Basically, a proxy function for TCP 3389. > > So, I need Shorewall to masquerade the connection, then forward the connection out the same physical interface. > > Can anyone suggest a solution? >Sure. Use a DNAT rule and an entry in /etc/shorewall/masq. Remember though that DNAT occurs *before* SNAT; DNAT occurs when the packet is first received while SNAT occurs just before the packet is sent. Shorewall FAQ 2 shows an example. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
blue caddy wrote:> Thanks Tom, > > I got it up and running now. Is adding the routeback option to my ''net'' interface a vulnerability? >No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/