Re: [Shorewall-users] Access to internal host from Internet (net) and Local Net (lan) via public firewall IP

Mon, 22 May 2017 07:39:23 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 5/22/2017 7:17 AM, Dario Lesca wrote:
> My shorewall firewall have 2 if, net=1.1.1.1 and loc=192.168.1.254
> 
> I use a public external DNS host name called host.dom.org ("A" record
> to 1.1.1.1) to connect to a specific internal lan host 
> 
> I do not have and can not setup a internal DNS to fake host.dom.org to
> internal host IP 192.168.1.1
> 
> I have this nat rule into rules file for external connection:
> 
>     DNAT net loc:192.168.1.1:22   tcp 22443 - 1.1.1.1
> 
> This work for all external "ssh -p22443 host.dom.org" (1.1.1.1)
> connection
> 
> But if i try run the same command from a internal host (192.168.1.2) I
> get a "connection refused" 
> 
> Then I have try add this rule:
> 
>     DNAT loc loc:192.168.1.1:22   tcp 22443 - 1.1.1.1
> 
> In this way when I run ssh from a host into internal lan (192.168.1.2)
> to public name host.dom.org I jump on 1.1.1.1 via 22443, then the rule
> redirect me to 192.168.1.1:22, but 192.168.1.1 see me coming from
> 192.168.1.2 and try contact me directly  via LAN (tested with tcpdump
> on 1.2)
> 
> It's possible to configure shorewall to allow access to public name
> host.dom.org (IP 1.1.1.1) from net and lan alike, without configure a
> internal DNS to redirect the public name "host.dom.org" to the local IP
> 192.168.1.1?
> 
> Many thanks for reply
> 

This is Shorewall FAQ 2 - http://www.shorewall.net/FAQ.htm#faq2

- -Tom

- -- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZIvcdAAoJEJbms/JCOk0Q6TAP/RqJLbJFXBKCHyEwN2T3sWgC
uH3pZ3LI/uwtjEQVcCLaa29LVuKpfiXFoStImcZpm8JCmjdWHqOWPz8jTzy3Bu0v
ypzQJ/fzMNU1GSuFX5mCtWFddFc83WPsaiPugFEQmAr2Df721RV5rIYu75lli3d1
hY4qQaGt8cR9xZB4cUbNtdHQvYikNY/MslMGQbJeJOZfc5cGv80rxxoV0i7CYL7N
GXUmhqFoTQcLKfj1gBlZsG60wgS5EVv2KKniBpDmhe4DuBq3Lb39s5io9xq9l2wM
9yXb5XlwwQcdzPHRHL3VMpsuITG26uolNybUXmeh1PVHVxGWYrcbUwrh+tXe62Hn
lXMMvW5RkaAzIPccnAwPK8D//Y7SQuTeU1zfcvcS41QbcqGg9wXfVZI837/ncgGe
OaNHcoUkLsSg0uiaH8mTZYP32lo/wYzLR4F97JPs7wecfQT1Ucy+uD/wPvg1cfkz
mgs9BdMwqspgNE7HCgJbBTrvwKQsN8PNBsp8Fj36AJjU449itteH2I8Jx+Gin5Bg
MIeUlOQVQqBnPs6kLDO5Rn4LKO0habXxD3rvIUng9OVuIudFfp+V+x/EhvFASNe0
f1rNgRjJ4WwxRh5q5gIlSiQFxwmAAbrjzV31H/QJKcjG4AMM7MTcGnoeWhu+SQVO
ansvyKvuM6IQ94HXb/Xg
=Il0U
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to