Hi, > Firstly I would like to say thank you to everyone who who has had a > hand in producing and maintaining Shorewall. I have been using it for > 4 years and it does a great job of hiding the internals of iptables > and therefore simplifying firewall setup for me. > > Now down to the nitty gritty. > > Basically what I want to is forward an external connection to a VPN client. > > Both the firewall and VPN server are on the same machine. > > Naively I just tried to do a straight DNAT in /etc/shorewall/rules:- > > DNAT:info net vpn:10.9.0.6 tcp 5500 - > > Activity to this port is getting logged but isn't getting to the IP in > question:- > > Sep 11 12:15:27 localhost kernel: Shorewall:net_dnat:DNAT:IN=ppp0 OUT= > MAC= SRC=86.43.91.112 DST=83.70.178.21 LEN=48 TOS=0x00 PREC=0x00 > TTL=124 ID=10287 DF PROTO=TCP SPT=40832 DPT=5500 WINDOW=65535 RES=0x00 > SYN URGP=0 > Sep 11 12:18:02 localhost kernel: Shorewall:net_dnat:DNAT:IN=ppp0 OUT= > MAC= SRC=86.43.91.112 DST=83.70.178.21 LEN=48 TOS=0x00 PREC=0x00 > TTL=124 ID=15726 DF PROTO=TCP SPT=40847 DPT=5500 WINDOW=65535 RES=0x00 > SYN URGP=0 > > If I telnet to 10.9.0.6 on port 5500 from the server i.e. internally I > get a response:- > > Trying 10.9.0.6... > Connected to 10.9.0.6. > Escape character is '^]'. > > I'm sure this setup will look a little strange but I will explain why > I am doing things this way. In a nutshell my ISP doesn't give me an > external address or port forwarding (HSDPA network). To get around > that I am using a VPN to a remote site that does have a public address > and want to be able forward relevant traffic to my VPN client. > > Can anyone help? > > Thanks hopefully in advance. > > John. > > > Is the 10.9.0.0 network part of the local network on your vpn box? if so then your entry would look like this:
DNAT net local:10.9.0.6 tcp 5500 this is because your vpn box makes your vpn client part of the local network. Also make sure your vpn client receives a static address I have this same setup for a vpn client when a vnc client connects to me while i am on the road > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
