While I didn't get this detailed, I have been able to accomplish (atleast in testing) what it was that I wanted. The following is the additions that I made, only the relevant parts of each definition will be listed.
network.conf EXTERN_UDP_PORTS="0/0_1494 0/0_17" EXTERN_TCP_PORTS="remote.ip.add.ress/32_1494" INTERN_SERVERS="tcp_external.ip.add.ress_1494_internal.ip.add.ress_1494" INTERN_AUTOFW0="-A -r udp 1494 1694 -h internal.ip.add.ress" svi network reload ipchains -I INPUT 1 -s remote.ip.add.ress/32 -d external.ip.add.ress/32 1494 -p tcp -j ACCEPT ipmasqadm portfw -a -P tcp -L remote.ip.add.ress 1494 -R internal.ip.add.ress 1494 After all of the above I can get it to work. However, there are a couple of things that I don't like about this setup. First is the very first EXTERN_UDP line. When I changed it from 0/0_1494 to specify the exact IP address, it would no longer work. Once I changed it back to world open, it would work. This really puts my network at a risk. There are a couple of fail safes I guess, using hosts.allow and hosts.deny, but it still seems a little wrong to me. Secondly, I can only make this available (the first time) manually, I do not know how to add the above ipchains to something more automated. And in reference to the ipchains command, I get an error "ipchains: No target by that name". Although it still works, I'd like to be able to remove the error and make it more automatic, in case of power failure. I'm still open to suggestions, I have an hour or two this morning before I have to really make it available to vendor. Any thoughts from the list? Joey -----Original Message----- From: Andrew G. Gray [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 15, 2002 9:45 PM To: [EMAIL PROTECTED]; guitarlynn; [EMAIL PROTECTED] Subject: RE: [leaf-user] allowing internal connections w/o IPSec I have done in the past, something like this for vnc and I believe it should work for you. You may need to add extra to portforward any other companion ports. I had a need for several connections for different machines here. in Network.conf in the intern servers section added #INTERN_VNC_SERVER2=192.168.45.47 # Internal VNC server to make available #EXTERN_VNC_PORT2=49612 # External port to use for internal VNC access in ipfilter.conf added the following in the same area as the other internal server info (about 600 to 700 lines from the top) if [ -n "$INTERN_VNC_SERVER2" ] ; then if [ -n "$EXTERN_VNC_PORT2" ] ; then $IPMASQADM portfw -a -P tcp -L $EXTERN_IP $EXTERN_VNC_PORT2 \ -R $INTERN_VNC_SERVER2 vnc $IPMASQADM portfw -a -P udp -L $EXTERN_IP $EXTERN_VNC_PORT2 \ -R $INTERN_VNC_SERVER2 vnc else $IPMASQADM portfw -a -P tcp -L $EXTERN_IP vnc \ -R $INTERN_VNC_SERVER2 vnc $IPMASQADM portfw -a -P udp -L $EXTERN_IP vnc \ -R $INTERN_VNC_SERVER2 vnc fi fi I also defined the vnc port in the /etc/services file but you can specify the port number directly. I believe this should forward the ports you need. Add more to whatever you decide to call it in network.conf and lines in ipfilter.conf for any further ports you need for citrix then before saving you can svi network uplifter reload to test it. Hope this helps Andrew Gray -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joey Officer Sent: Fri, 16 Aug 2002 11:11 AM To: guitarlynn; [EMAIL PROTECTED] Subject: RE: [leaf-user] allowing internal connections w/o IPSec Lynn, I read you write up on port forwarding on the FAQ at the leaf/sourceforge website, but I'm not 100% sure if I am truly forwarding.. off thread (my fault) I have been able to get the following I can telnet to 216.201.149.162 and I get an ICA prompt When I run the citrix client (although I just checked something, I have not opened the UDP port) I get no response.. checking the UDP thing now... Still no good... so this is what I have done thus far EXTERN_TCP_PORTS="24.167.33.0/32_1494" EXTERN_UDP_PORTS="24.167.33.0/32_1494 EXTERN_PROTO3="17 24.167.33.0/32" - added this most recently to allow UDP protocol open INTERN_SERVERS="tcp_216.201.149.162_1494_192.168.1.202_1494" ^^^ this is ext.ip ^^^ this is int.ip joey -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of guitarlynn Sent: Thursday, August 15, 2002 7:05 PM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] allowing internal connections w/o IPSec On Thursday 15 August 2002 18:45, Joey Officer wrote: > Unless I didn't restart the services proprerly (I'll show below, this > is what I did) > > EXTERN_TCP_PORTS="remote.address/32_1494" > EXTERN_UDP_PORTS="remote.address/32_1494" > INTERN_ICA_SERVER=192.168.1.202 > > And then > > svi network reload > > from the remote host (we are using citrix in this scenario) > > citrix client is told to look at the external IP of the LRP box. > This is where I am stuck... joey Have you portforwarded this port to the desired machine??? With the lines you have added, you are simply opening the ports to the firewall.... not sending the ports to a masq'ed machine. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
