expose internal network to the outside world

Lennart Sorensen lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Thu Sep 15 12:55:53 UTC 2005


On Wed, Sep 14, 2005 at 10:19:12PM -0400, Matt Price wrote:
> I have 2 computers on a home network, connected to Sympatico DSL through
> a modem
> and a cheap SMC router (Barricade  g = SMC2804WBRP-g).  I would like to
> be able to ssh into both of them form the outside world.  I have
> successfully set up "inadyn" to associate a stable URL (x.dyndns.org)
> with my dynamic IP, which is great.  Now the problem is to tunnel remote
> ssh requests to the two local machines.  I don't really understand this
> very well (though I tried something similar about 2 years ago -- got
> stumped then).
> 
> As I understand it, what I need to do is set up some kind of a table
> where external requests on particular ports are forwarded by the router
> on to corresponding (perhaps not identical) ports on one or the other
> local machine.  SO I imagine something like this:
> 
> from work, I type:
> 
> ssh -p 2000 -l me mydomain.dyndns.org
> which gets to the router; the router sees that it's supposed to forward
> requests on port 2000 to 192.168.2.199; 192.168.2.199 picks up the
> request and an ssh tunnel is formed
 
So your router should have rules that says:
external port 2000 forward to internal ip 192.168.2.199 port 22
external port 3000 forward to internal ip 192.168.2.254 port 22

> on the other hand, if I type
> ssh -p 3000 -l metoo mydomain.dyndns.org
> the router sends the request to 192.168.2.254 instead.
> (even better would be to control destination by hostname, eg.
> 1.mydomain.dyndns.org, 2.mydoain.dyndns.org, etc -- but I think this is
> unlikely to work).

Since name to ip is resolved and the ip given to the client and then a
connection attempt is made, it certainly won't work.  only protocols
that pass names explicitly (like http 1.1) can do multiple "servers" on
one ip, and even then they have to be handled by a single web server
(which can of course redirecto to another port if you want it to send
you to another machine.)

> On my router confiugration screen, there seem to be 3 places where this
> sort of thing can be done:
> 1. "DDNS" -- here I'm allowed to have 1 static local IP address
> designated as
> a "server" ; requests on ports 80,21,and 25 (http, ftp, smtp) are
> forwarded on to the "server".  I've tried this and it works fine for
> http at least (I get the standard debian default index page from my
> local machine).  But there seems to be no further flexibility.
> 2. "NAT".  This section comes with the following instructions:
> 
> *Special Applications*
> 
> Some applications require multiple connections, such as Internet gaming,
> video conferencing, Internet telephony and others. These applications
> cannot work when Network Address Translation (NAT) is enabled. If you
> need to run applications that require multiple connections, specify the
> port normally associated with an application in the "Trigger Port"
> field, select the protocol type as TCP or UDP, then enter the public
> ports associated with the trigger port to open them for inbound traffic.
> 
> Note: The range of the Trigger Ports is from 1 to 65535.
> 
> THen there's a table in which I can associate "trigger ports" with
> "public ports".  But I don't think I really understand what this is
> about, as thre seems to be no way to associate a particular local
> machine with a forwarded port.

No need for any of that for a simple one port protocol like ssh.  It is
used for when an internal machine connects out on a given port and
expects other connections to come back on a different port that it wants
returned to it.  In other words, for badly designed protocols (ftp being
one such protocol that requires special handling).

> 3. DMZ.  THis screen lets me associate a local IP address (192.168.2.x)
> with a public IP address.  But this isn't what I want, is it?  Because
> after all I only have one constantly-changing IP address available to
> me...

That would setup all ports (usually) to be forwarded to that IP.  Not
what you want.

> Anyway -- I feel a little bit stumped.  I wondered whether anyone else
> had ideas about what I should do, whether I'm out of luck, etc.

Lennart Sorensen
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list