[Shorewall-users] DNAT PPTP questions

Tom Eastep teastep at shorewall.net
Thu Apr 1 06:26:27 PST 2004


tkrishna at iyka.com wrote:
>>Tom Eastep wrote:
>>
>>
>>>tkrishna at iyka.com wrote:
>>>
>>>
>>>
>>>>I tried the option DETECT_DNAT_IP=Yes did not help either.
>>>>
>>>>Any ideas?
>>>
>>>
>>>So exactly what criteria is the firewall to apply to decide which
>>>server  to connect to?
>>
>>If my answer sounds flippant, you need to go back and read your post
>>from the point of view of those of us who know nothing about your
>>configuration other than what you have shown us.
>>
>>a) Your "rules" are using obviously fake IP addresses (WHY??? IP
>>addresses are not state secrets).
>>
> 
> 
> IP address are not state secrets but that does mean that I have to
> disclose IP address.  Again I did not put in the actual public IP address
> but the truth is the IP address are real routable valid IP address.
> 
> 
>>b) We therefore don't know if these addresses are RFC 1918 addresses or
>>not.
>>
> 
> The IP address are valid so RFC 1918 does not apply for this.  Its a
> 207.24.x.x address so its a actual address.
> 
> 
>>c) You are showing us DNAT rules which implies rewriting the destination
>> IP address.
>>
> 
> I need to be able to access two different PPTP servers.  That is the only
> requirement.  One of the server is in the 207.24.x.x network and the other
> is in 207.24.y.y network.  Other than DNAT I am not sure if there is a way
> to route the call to the PPTP server.  The PPTP server takes two ports
> 1723 and 47.  The Shorewall looks at the rules file and applies the very
> first entry for all PPTP connections.
> 
> What I am telling is that if I have a rule such as
> 
> DNAT net loc:207.24.x.1 tcp 1723
> DNAT net loc:207.24.x.1 47
> 
> and another rule below it stating
> 
> DNAT net loc:207.24.y.2 tcp 1723
> DNAT net loc:207.24.y.2 47
> 
> When a user requests a PPTP connection to 207.24.y.2 the request should be
> sent to 207.24.y.2 not to 207.24.x.1
> 
> Is that clear?  How can I go about doing this.  If DNAT is not an option,
> may be there is something else.  Any ideas?
> 

You still haven't read FAQ #30 -- you want ACCEPTs rules rather than 
DNAT rules.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-users mailing list