Hi All! I have a happy shorewall user who needs something that should quite simple but for the life of me I just cannot figure it out! Well other than a snat rule! Two users on the internal network need to make RDP connections to the parent companies Terminal Server on a non standard port. Needless to say the two external ip address they will be allocated are available and they will both connect to the same remote ip address! Two internal user are 192.168.1.101 and 192.168.1.193 and need to snat out on ip''s 206.205.204.203 and 206.205.204.204 respectively and be limited to access port 3399 on remote ip 223.224.225.226 The customer is out in the boon-docks and only has a 1M internet connection and with over 200 users bandwidth is tight. Normal masq is limited to a few users. I have two simple nat rules that allow two server unrestricted access. The rest of the user are controlled through squid. All ideas of how to achieve the above would be welcomed! Ang -- Angela Williams angierfw at gmail dot com Linux/Networking Hacker Blog http://angierfw.wordpress.com Smile! Yeshua Loves You! ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don''t have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
On 11/29/2013 5:14 AM, Angela Williams wrote:> Hi All! > > I have a happy shorewall user who needs something that should quite > simple but for the life of me I just cannot figure it out! Well other > than a snat rule! > > Two users on the internal network need to make RDP connections to the > parent companies Terminal Server on a non standard port. Needless to say > the two external ip address they will be allocated are available and > they will both connect to the same remote ip address! > > Two internal user are 192.168.1.101 and 192.168.1.193 and need to snat > out on ip''s 206.205.204.203 and 206.205.204.204 respectively and be > limited to access port 3399 on remote ip 223.224.225.226 > > The customer is out in the boon-docks and only has a 1M internet > connection and with over 200 users bandwidth is tight. Normal masq is > limited to a few users. I have two simple nat rules that allow two > server unrestricted access. The rest of the user are controlled through > squid. > > All ideas of how to achieve the above would be welcomed!/etc/shorewall/rules: ACCEPT loc:192.168.1.101,192.168.1.193 net:<RDP ip> tcp 3399 /etc/shorewall/masq <external if>:<RDP ip> 192.168.1.101 206.205.204.203 <external if>:<RDP ip> 192.168.1.193 206.205.204.204 Where: <external if> is the firewall''s external interface <RDP ip> is the IP address of the RDP server -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don''t have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
Hi All AND Tom! On 30/11/2013 19:46, Tom Eastep wrote:> On 11/29/2013 5:14 AM, Angela Williams wrote: >> Hi All! >> >> I have a happy shorewall user who needs something that should quite >> simple but for the life of me I just cannot figure it out! Well other >> than a snat rule! >> >> Two users on the internal network need to make RDP connections to the >> parent companies Terminal Server on a non standard port. Needless to say >> the two external ip address they will be allocated are available and >> they will both connect to the same remote ip address! >> >> Two internal user are 192.168.1.101 and 192.168.1.193 and need to snat >> out on ip''s 206.205.204.203 and 206.205.204.204 respectively and be >> limited to access port 3399 on remote ip 223.224.225.226 >> >> The customer is out in the boon-docks and only has a 1M internet >> connection and with over 200 users bandwidth is tight. Normal masq is >> limited to a few users. I have two simple nat rules that allow two >> server unrestricted access. The rest of the user are controlled through >> squid. >> >> All ideas of how to achieve the above would be welcomed! > > /etc/shorewall/rules: > > ACCEPT loc:192.168.1.101,192.168.1.193 net:<RDP ip> tcp 3399 > > /etc/shorewall/masq > > <external if>:<RDP ip> 192.168.1.101 206.205.204.203 > <external if>:<RDP ip> 192.168.1.193 206.205.204.204 > > Where: > > <external if> is the firewall''s external interface > <RDP ip> is the IP address of the RDP serverWow the solution that just works! We have a happy user! It''s only in retrospect that it all makes sense! I just kept trying to figure out a solution with SNAT in the masq file! Thanks a mil Tom! Ang -- Angela Williams angierfw at gmail dot com Linux/Networking Hacker Blog http://angierfw.wordpress.com Smile! Yeshua Loves You! ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don''t have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk