Version 8 (modified by ibaldin, 8 years ago)


Using Shorewall DNAT proxy with ORCA


Support for Shorewall DNAT proxy is integrated into ORCA's EC2 handler that operates on Eucalyptus/NEuca installations. All configuration parameters are located in the file. Parts of that file relevant to Shorewall proxy are shown below.


After following the INSTALL file instructions for Shorewal DNAT proxy, make sure to add the user under which orca runs to group 'shorewall' on the host where shorewall and DNAT proxy are installed. Be sure that the public SSH key of that user is in the '.ssh/authorized_keys' on the Shorewall host (allowing password-less login) and put the private key under /opt/orca/config/orca-proxy-ssh-key.

To test verify that you can SSH as ORCA user from the host with the AM to the shorewall host without being prompted for a password:

$ ssh -i /opt/orca/config/orca-proxy-ssh

ORCA Proxy configuration (Camano 3.0+)

The ORCA handler supports configuring a proxy for the created instance for situations when instances are created within a private address space separated from the public Internet. Currently SHOREWALL-DNAT proxy is supported. The following properties are used by the handler (specified in, see NEuca handler):

  • Whether proxy should be used at all (true|false)
  • The type of proxy (currently supported types: 'SHOREWALL-DNAT')
  • IP address of proxy host
  • Username on the proxy authorized to make configuration changes
  • Filename containing private SSH key of the authorized user (absolute path)
  • Path to shorewall scripts on proxy

Fore more details see NEuca handler and NEuca handler testing.


Shorewall DNAT proxy output is returned by ORCA in unit.manage.ip and unit.manage.port properties returned to the user.