Discussion:
[Shorewall-users] Access to internal host from Internet (net) and Local Net (lan) via public firewall IP
Dario Lesca
2017-05-22 14:17:05 UTC
Permalink
My shorewall firewall have 2 if, net=1.1.1.1 and loc=192.168.1.254

I use a public external DNS host name called host.dom.org ("A" record
to 1.1.1.1) to connect to a specific internal lan host

I do not have and can not setup a internal DNS to fake host.dom.org to
internal host IP 192.168.1.1

I have this nat rule into rules file for external connection:

DNAT net loc:192.168.1.1:22   tcp 22443 - 1.1.1.1

This work for all external "ssh -p22443 host.dom.org" (1.1.1.1)
connection

But if i try run the same command from a internal host (192.168.1.2) I
get a "connection refused"

Then I have try add this rule:

DNAT loc loc:192.168.1.1:22   tcp 22443 - 1.1.1.1

In this way when I run ssh from a host into internal lan (192.168.1.2)
to public name host.dom.org I jump on 1.1.1.1 via 22443, then the rule
redirect me to 192.168.1.1:22, but 192.168.1.1 see me coming from
192.168.1.2 and try contact me directly via LAN (tested with tcpdump
on 1.2)

It's possible to configure shorewall to allow access to public name
host.dom.org (IP 1.1.1.1) from net and lan alike, without configure a
internal DNS to redirect the public name "host.dom.org" to the local IP
192.168.1.1?

Many thanks for reply
--
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)
Tom Eastep
2017-05-22 14:35:09 UTC
Permalink
Post by Dario Lesca
My shorewall firewall have 2 if, net=1.1.1.1 and loc=192.168.1.254
I use a public external DNS host name called host.dom.org ("A" record
to 1.1.1.1) to connect to a specific internal lan host
I do not have and can not setup a internal DNS to fake host.dom.org to
internal host IP 192.168.1.1
DNAT net loc:192.168.1.1:22 tcp 22443 - 1.1.1.1
This work for all external "ssh -p22443 host.dom.org" (1.1.1.1)
connection
But if i try run the same command from a internal host (192.168.1.2) I
get a "connection refused"
DNAT loc loc:192.168.1.1:22 tcp 22443 - 1.1.1.1
In this way when I run ssh from a host into internal lan (192.168.1.2)
to public name host.dom.org I jump on 1.1.1.1 via 22443, then the rule
redirect me to 192.168.1.1:22, but 192.168.1.1 see me coming from
192.168.1.2 and try contact me directly via LAN (tested with tcpdump
on 1.2)
It's possible to configure shorewall to allow access to public name
host.dom.org (IP 1.1.1.1) from net and lan alike, without configure a
internal DNS to redirect the public name "host.dom.org" to the local IP
192.168.1.1?
Many thanks for reply
This is Shorewall FAQ 2 - http://www.shorewall.net/FAQ.htm#faq2

- -Tom

- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Dario Lesca
2017-05-24 11:12:56 UTC
Permalink
Post by Tom Eastep
This is Shorewall FAQ 2 - http://www.shorewall.net/FAQ.htm#faq2
Work!

Thanks!
--
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)
Continue reading on narkive:
Search results for '[Shorewall-users] Access to internal host from Internet (net) and Local Net (lan) via public firewall IP' (Questions and Answers)
26
replies
IP addresses?
started 2014-11-28 10:47:58 UTC
computer networking
8
replies
ip address?
started 2007-12-21 23:34:11 UTC
security
Loading...