Hi Dotan, On Sun, Apr 03, 2011 at 03:25:29PM +0300, Dotan Cohen wrote: > Not a Debian-specific question, but I turn to the best brains that I know. > > Assuming a LAN with a router and three machines: > 10.0.0.1 Router > 10.0.0.2 Computer1 > 10.0.0.3 Computer2 > 10.0.0.4 Computer3 > > The router sits on an outside IP address of 123.45.67.89. There is no > DMZ or port forwarding assigned on the router to any of the other > machines. > > Is there any way an individual from outside the LAN could access a > resource (Apache for instance, or SSH) on Computer1 assuming that he > knows Computer1's LAN IP address? Would this this be possible if he > had access to Computer1 and could configure it somehow (without > configuring the router)? Not really. No matter what the individual does: it can only contact the router on 123.45.67.89. If the router then throws away the traffic, you're finished.
However, there are some tricks -- depending on the way how the router is exactly configured: Assuming the router allows computer1 to communicate to the internet (e.g: computer1 can send data in the internet, and the router forwards the answer back to computer1), than it is possible: You have to "cheat" the router such that the router believes "computer1 wants to connect to the outsider" inѕtead of "outsider wants to connect to computer1". A first example for this concept are protocols like active ftp: There, the CLIENT opens a first connection (the control connection), but the SERVER opens the data-connection: In order to forward active ftp via an router, the router has to listen & understand the first connection, such that it knows to which client the data-connection has to be forwarded. (e.g. the linux iptables-firewall has a special module to support active ftp-forwarding) A full implementation of such a "cheating" is done by Skype. in your example: - computer1 asks an external server, whether someone wants to connect to it. - the individual informs the external server. the external server can send this information to computer1, as the connection "computer1<->external server" was opened by computer1 ==> router allows it. - computer1 sends a packet to the individual. This packet does not contain any usefull data -- but is detected by the router as "computer1 speaks with individual". In addition, the networking details of the packet (ip-adress, port,...) are sent to the external server, which forwards them to the individual. - now, the individual can ANSWER to this packet -- and from the point of view of the router this is a connection opened by computer1 (and NOT a connection opened by the individual) ==> probably allowed. So in fact, when you do something in this lines, the router will not see "individual from outside wants to connect to computer1" -- but: "computer1 wants to connect to outside". Of course, the remaining question is: does the router allow this connection? And you need an external server to initiate the connection: somehow, the individual has to learn the networking details of the initial packet... The "external server" could be e.g. a mail server, which computer1 regularly checks for new mails... Axel -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110403124346.GA4625@axel
