Hi, I am wondering if it is possible to do the following with shorewall. I operate a network with some additional IP''s that are SNAT''d to various server machines on my network. One of my machines is a Terminal server. I need to be able to RDP to various servers for clients, that are IP locked for RDP on my PtP address, not the SNAT address of my Terminal server. Can I masquerade all outgoing RDP traffic (TCP 3389) to present as my PtP address as opposed to the SNAT address of the Terminal server that gets presented everywhere else? ------------------------------------------------------------------------------
On May 9, 2010, at 6:07 PM, Marcus Limosani wrote:> > Can I masquerade all outgoing RDP traffic (TCP 3389) to present as my PtP address as opposed to the SNAT address of the Terminal server that gets presented everywhere else?Yes. man shorewall-masq and look at example 5. -Tom ------------------------------------------------------------------------------
I had thought that it was possible, but I cant seem to get the syntax quite right. ppp0 eth1 <my PtP Address> tcp 3389 # ppp0 192.168.0.0/24 I still have internet access, but the RDP is still not operating. I also get this message when i run shorewall Compiling... WARNING: Using an interface as the masq SOURCE requires the interface to be up and configured when Shorewall starts/restarts : /etc/shorewall/masq (line 18) Shorewall configuration compiled to /var/lib/shorewall/.restart Restarting Shorewall.... Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`). done. I am presently running 4.4.5.4. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, 10 May 2010 2:05 PM To: Shorewall Users Subject: Re: [Shorewall-users] Port Masquerading On May 9, 2010, at 6:07 PM, Marcus Limosani wrote:> > Can I masquerade all outgoing RDP traffic (TCP 3389) to present as my PtP address as opposed to the SNAT address of the Terminal server that gets presented everywhere else?Yes. man shorewall-masq and look at example 5. -Tom ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------
Figured out the Warning message. changed the eth1 to 192.168.0.0/24 -----Original Message----- From: Marcus Limosani [mailto:marcus@limosani.com] Sent: Monday, 10 May 2010 6:15 PM To: ''Shorewall Users'' Subject: Re: [Shorewall-users] Port Masquerading I had thought that it was possible, but I cant seem to get the syntax quite right. ppp0 eth1 <my PtP Address> tcp 3389 # ppp0 192.168.0.0/24 I still have internet access, but the RDP is still not operating. I also get this message when i run shorewall Compiling... WARNING: Using an interface as the masq SOURCE requires the interface to be up and configured when Shorewall starts/restarts : /etc/shorewall/masq (line 18) Shorewall configuration compiled to /var/lib/shorewall/.restart Restarting Shorewall.... Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`). done. I am presently running 4.4.5.4. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, 10 May 2010 2:05 PM To: Shorewall Users Subject: Re: [Shorewall-users] Port Masquerading On May 9, 2010, at 6:07 PM, Marcus Limosani wrote:> > Can I masquerade all outgoing RDP traffic (TCP 3389) to present as my PtP address as opposed to the SNAT address of the Terminal server that gets presented everywhere else?Yes. man shorewall-masq and look at example 5. -Tom ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------
On 5/10/10 1:14 AM, Marcus Limosani wrote:> I had thought that it was possible, but I cant seem to get the syntax quite right. > > ppp0 eth1 <my PtP Address> tcp 3389 > # > ppp0 192.168.0.0/24 > > I still have internet access, but the RDP is still not operating.We''re going to need more than "It doesn''t work" to help you further. See http://www.shorewall.net/support.htm#Guidelines.> Shorewall configuration compiled to /var/lib/shorewall/.restart > Restarting Shorewall.... > Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`).I''d like to find out where that warning is coming from. Would you send me (privately) your /var/lib/shorewall/firewall file? Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------