Re: iptables forwarding question
From: Jeroen Geilman (nospam_at_notadaptr.nl)
Date: 09/20/03
- Next message: Doctor J. Frink: "Firewalling existing Linux/Windows network"
- Previous message: Jeroen Geilman: "Re: Firewall and Webserver"
- In reply to: Ryan Barnard: "iptables forwarding question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 20 Sep 2003 12:28:42 +0000
Ryan Barnard wrote:
> Hi all,
>
> I currently have a home network which has a Slackware server as a
> firewall for my cable internet. The computers behind the firewall
> have a 192.168.0.# IP.
>
> I am trying to set the network up so somebody could go to
> "computerX.mydomain.com", where computerX is a computer on the private
> network. The reason being mainly so I can ssh into my home machine
> from off-site and do whatever.
Not possible, but see below...
> So, my big question is, where should I be looking to do this? I
> currently have a small iptables setup going to forward all the machine
> out to the internet, and I assume it is some iptables setting I need
> done, but I'm not too sure.
Let me see if I understand:
- You have multiple internal machines, named computer*
- You have one (1) public IP, NATted to all of these machines
- You want to be able to use regular SSH to connect to any one of these
machines.
What I said - not possible.
See, SSH uses port 22 - of which you have only one.
So how is the firewall to decide which of those machines gets the use of
port 22 at any time ?
It doesn't - you have to tell it which one to forward SSH to.
A far better alternative would be, to assign your internal machine a static
IP address (you do not say whether it's static or dhcp) and forward any and
all SSH traffic to that IP - this is quite simple in iptables:
- forward from * to IP on port 22 all NEW connections
- reply and forward from * to IP all ESTABLISHED connections
This is all you need to forward SSH from the outside to one machine.
If you want to be able to SSH to *any* machine, it is a far better idea to
use different port numbers for each machine, say 1022 for #1, 1122 for #2,
1222 for #3 etc.
Then map those ports to the correct internal IP's port 22 with iptables, or
alternatively just run SSH on those ports - SSH doesn't care what port you
use.
The latter makes for a simpler iptables config.
It is simply not possible to use DNS names on a single public IP to map to
different machines, since SSH doesn't use hostnames - it uses the IP
address, and you have only one public IP.
One of the few protocols that DO allow this is http 1.1; you can use it to
run multiple virtual servers off of one IP.
If you're feeling adventurous, you might investigate the DNS "srv"
functionality; I know that this allows you to map a given service on a
domain to any port on any machine, but not many DNS servers implement this
yet, and it only works for entire domains, not hosts.
(M$ DS protocols use this technique)
-- Jeroen Geilman Gentoo 1.4 rc4
- Next message: Doctor J. Frink: "Firewalling existing Linux/Windows network"
- Previous message: Jeroen Geilman: "Re: Firewall and Webserver"
- In reply to: Ryan Barnard: "iptables forwarding question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
