Re: [gentoo-user] mapping hostname to a non routable ip addy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 05 December 2003 10:29 pm, Nathaniel McCallum wrote: On Dec 5, 2003, at 11:19 PM, Jeff Smelser wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 05 December 2003 10:15 pm, Nathaniel McCallum wrote: What about for ssh? Any way to do it for that? Or will it consider that a man in the middle attack? You can forward any port you want. Just a matter of a couple commands. When you get a firewall set up, let us know what your using. Most firewalls. I use gShield, they have a config file for forwarding ports. Take just a minute for the config change, then rerun the script. I know about port forwarding. I don't want to forward a different port. I want to redirect data based upon packet destination rather than port. I'm really just trying to get free IP addys ;). Then I don't see how. Your going to be using internal numbers behind your firewall. And if you try to use a internet standard address, it won't be routed to you.. If I understand you correctly. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/0cE3ld4MRA3gEwYRAtTaAJsGEraedBh6QdpQdkOGZVBx6FXs8ACg4ofJ t09ymyp52mwu71tMzQLxNMI= =Oixe -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] mapping hostname to a non routable ip addy
On Friday 05 December 2003 10:15 pm, Nathaniel McCallum wrote: I know about port forwarding. I don't want to forward a different port. I want to redirect data based upon packet destination rather than port. I'm really just trying to get free IP addys ;). Nathaniel what your wanting to do is very simple. Goto www.shorewall.net and do some research there and you will see. This is just one flavor of firewall but one of the best I've come acrossed with the best support via emailing list and great web site as well. There's really no mystery in how to achieve what your asking to achieve. There are two ways to do what your want to do. These are the same 2 choices that everyone else has when redirecting traffic from internet hosts to services you host on your internal lan. But you want to do it by name instead of ip directly. (IT all happens via ip, ports/sockets regardless. This is just how it works.) First and foremost you will need to either get familar with iptables or install a firewall like Shorewall that munipulates iptables for you to achieve what your wanting. Without one of those you will not be able redirect squat. Then You said: I want to redirect data based upon packet destination rather than port. My response: The two really go hand in hand. So this tells me that you might understand port forwarding but don't understand some of the other fundmentals. (if you don't understand this then you in for some researching.) But again this is very simple if you understand the basic's. You mean via a DNS name.. E.G... www.yourfoobarrednetwork.com Lets say your public ip is 1.2.3.4 and you have registered (you will need too, to do what your trying to do) www.yourfoobarrednetwork.com and mail.yourfoobarrednetwork.com. Both of these registered names resolve to the same public ip address in DNS. 1.2.3.4 Internally you run a web server at 192.168.1.1 and a mail server at 192.168.1.2. Lets think about this for a second. If I open any given web browser/app and goto www.yourfoobarrednetwork.com (assuming that you've registered this dns name or are running a host's file that knows to resolve www.yourfoobarrednetwork.com to your public ip address), since I'm using a web browser, any browser will default to port 80/HTTP. So now my browser will transparently (to my eyes) resolve the dns name to an ip address and goto www.yourfoobarrednetwork.com (or 1.2.3.4 transparent to me) via http port 80 tcp. On your firewall you would need to have a rule that forwards requests coming to your public ip on port 80 tcp to the internal web server listening on port 80 tcp. General redirect rule: Incoming port 80 tcp goes: 1.2.3.4 (your public ip) 192.168.1.1 (your internal web server) BAM... I'm on your website now. That was easy.. :P Ok.. to continue with my example lets say that I want to send you e-mail. In my example your running an email server on 192.168.1.2 and have registered a public dns mx record for mail.yourfoobarrednetwork.com that resolves to your public ip of 1.2.3.4. I open-up my smtp email-client/app (Kmail) and type in: TO: [EMAIL PROTECTED] SUBJECT: TEST and click on send. Since my smtp email-client/app defaults to using port 25 tcp, my email server will (transparently to me) lookup and resolve your mail domain to your public ip address that you have registered. 1.2.3.4, On your firewall you would need to have a rule that forwards requests coming to your public ip on port 25 tcp, to the internal mail server listening on port 25 tcp. General redirect rule: Incoming port 25 tcp goes: 1.2.3.4 (your public ip) 192.168.1.2 (your internal mail server) BAM... You Have Mail That was easy.. :P For SSH you would simply need to goto www.yourfoobarrednetwork.com on port 22 tcp. You can either do this from the command line or a GUI ssh client/app. And you can do this by ip or by your registered domain name. General redirect rule: Incoming port 22 tcp goes: 1.2.3.4 (your public ip) 192.168.1.3 (internal machine listening on port 22 tcp) The important thing to remember is that when redirecting any type of packet it will have an ip address/port-socket mapping. Those two are inseparable for the most part. HTH's, JBanks __ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] mapping hostname to a non routable ip addy
-Original Message- From: Jeff Smelser [mailto:[EMAIL PROTECTED] Sent: Saturday, December 06, 2003 8:45 PM To: [EMAIL PROTECTED] Subject: Re: [gentoo-user] mapping hostname to a non routable ip addy -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 05 December 2003 10:29 pm, Nathaniel McCallum wrote: On Dec 5, 2003, at 11:19 PM, Jeff Smelser wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 05 December 2003 10:15 pm, Nathaniel McCallum wrote: What about for ssh? Any way to do it for that? Or will it consider that a man in the middle attack? You can forward any port you want. Just a matter of a couple commands. When you get a firewall set up, let us know what your using. Most firewalls. I use gShield, they have a config file for forwarding ports. Take just a minute for the config change, then rerun the script. I know about port forwarding. I don't want to forward a different port. I want to redirect data based upon packet destination rather than port. I'm really just trying to get free IP addys ;). Then I don't see how. Your going to be using internal numbers behind your firewall. And if you try to use a internet standard address, it won't be routed to you.. If I understand you correctly. my input After Joshua Bank's reply, I think I understand what he's wanting. My guess is that after thinking about virtual servers with apache and the like, why not do that in a more general way? Well, bad news, all dns names resolve to the one IP address. The way virtual servers work is that the pre-resolved dns name is transferred in the http query. Thus if you want several web servers on an internal network behind the one external IP address you could do it. Actually, you could probably use the same notion for SMTP if you have really well-behaved clients and didn't mind doing a bit (lot?) of hacking. Really, it's all more trouble than it's worth though. Unless you don't value your time, that is... Jason -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] mapping hostname to a non routable ip addy
[...] Internally you run a web server at 192.168.1.1 and a mail server at 192.168.1.2. I guess your missing the point there. I think he wants 'ssh box1.foobar.com' routed to box1 and 'ssh box2.foobar.com' routed to box2. And without port redirecting tricks like 'ssh box1.foobar.com -p 8022', 'ssh box2.foobar.com -p 7022'. This would involve routing based not on IP or port, but on hostname which is encapuslated on higher protocol levels (e.g. http,ftp). And this surely can't be achieved with iptables, shorewall or any low level based internet filter. -- mathieu -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] mapping hostname to a non routable ip addy
--- mathieu perrenoud [EMAIL PROTECTED] wrote: [...] Internally you run a web server at 192.168.1.1 and a mail server at 192.168.1.2. I guess your missing the point there. I guess you could be correct, because I was simply making a guess based on the info that he previously posted. I certainly didn't come to the conclusion that you did. Wouldn't be the first time and certainly won't be the last. Thanks for the correction. I think he wants 'ssh box1.foobar.com' routed to box1 and 'ssh box2.foobar.com' routed to box2. And without port redirecting tricks like 'ssh box1.foobar.com -p 8022', 'ssh box2.foobar.com -p 7022'. This would involve routing based not on IP or port, but on hostname which is encapuslated on higher protocol levels (e.g. http,ftp). And this surely can't be achieved with iptables, shorewall or any low level based internet filter. If he is in fact trying to ssh to more than one pc with only one public ip address his choices are limited to what has already been explained by previous responses. He could always tunnel vnc through ssh to one central box internally and then ssh from there to any machine he wants. Port redirection is a cake walk. And seems to be his only alternative given his limited resources. Namely (one public ip address) There's still choices that are workable to achieve his goal. Shorewall can redirect ports via one text line per host. That would take less than one minute for 5-10 host's. Seems trivial to me if this is to much work. JBanks __ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ -- [EMAIL PROTECTED] mailing list
[gentoo-user] mapping hostname to a non routable ip addy
OK, here is the scenario. Gentoo router has one routable ip and the internal network is nat'ed. The routable ip has a domain that resolves to it, lets call it foobar.com. Internally (non-routable ips), there are hosts (FQDN=host1.foobar.com,host2.foobar.com). Is there anyway (perhaps iptables, but probably some other software) to automatically forward all traffic to the appropriate host from the outside? I know this has to be done at the packet level, but there are some hardware solutions for this, so I thought their might be something else out there... Nathaniel -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] mapping hostname to a non routable ip addy
On Dec 5, 2003, at 5:39 PM, Marius Mauch wrote: On 12/05/03 Nathaniel McCallum wrote: OK, here is the scenario. Gentoo router has one routable ip and the internal network is nat'ed. The routable ip has a domain that resolves to it, lets call it foobar.com. Internally (non-routable ips), there are hosts (FQDN=host1.foobar.com,host2.foobar.com). Is there anyway (perhaps iptables, but probably some other software) to automatically forward all traffic to the appropriate host from the outside? I know this has to be done at the packet level, but there are some hardware solutions for this, so I thought their might be something else out there... You can redirect traffic based on ports or IPs, but not on hostnames as that information is not contained in the IP header, only in some higher level protocols like HTTP. Yes, I'm aware of this. That is what I am wondering, if there is any program that actually checks the packets and forwards appropriate traffic... Nathaniel -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] mapping hostname to a non routable ip addy
On Friday 05 December 2003 23:46, Nathaniel McCallum wrote: On Dec 5, 2003, at 5:39 PM, Marius Mauch wrote: On 12/05/03 Nathaniel McCallum wrote: OK, here is the scenario. Gentoo router has one routable ip and the internal network is nat'ed. The routable ip has a domain that resolves to it, lets call it foobar.com. Internally (non-routable ips), there are hosts (FQDN=host1.foobar.com,host2.foobar.com). Is there anyway (perhaps iptables, but probably some other software) to automatically forward all traffic to the appropriate host from the outside? I know this has to be done at the packet level, but there are some hardware solutions for this, so I thought their might be something else out there... You can redirect traffic based on ports or IPs, but not on hostnames as that information is not contained in the IP header, only in some higher level protocols like HTTP. Yes, I'm aware of this. That is what I am wondering, if there is any program that actually checks the packets and forwards appropriate traffic... I think it has to be done on a per-protocol basis. For HTTP I would go for apache on the router and check the proxy and reverse_proxy directives. I don't think it's possible to do this at a more general level. And it's only possible to do this for protocols which encapsulate hostnames like http or ftp. You'll never be able to have your router forward nc spam.foo.bar 1234 to port 1234 of box spam.foo.bar. -- mathieu -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] mapping hostname to a non routable ip addy
On Dec 5, 2003, at 6:12 PM, mathieu perrenoud wrote: On Friday 05 December 2003 23:46, Nathaniel McCallum wrote: On Dec 5, 2003, at 5:39 PM, Marius Mauch wrote: On 12/05/03 Nathaniel McCallum wrote: OK, here is the scenario. Gentoo router has one routable ip and the internal network is nat'ed. The routable ip has a domain that resolves to it, lets call it foobar.com. Internally (non-routable ips), there are hosts (FQDN=host1.foobar.com,host2.foobar.com). Is there anyway (perhaps iptables, but probably some other software) to automatically forward all traffic to the appropriate host from the outside? I know this has to be done at the packet level, but there are some hardware solutions for this, so I thought their might be something else out there... You can redirect traffic based on ports or IPs, but not on hostnames as that information is not contained in the IP header, only in some higher level protocols like HTTP. Yes, I'm aware of this. That is what I am wondering, if there is any program that actually checks the packets and forwards appropriate traffic... I think it has to be done on a per-protocol basis. For HTTP I would go for apache on the router and check the proxy and reverse_proxy directives. I don't think it's possible to do this at a more general level. And it's only possible to do this for protocols which encapsulate hostnames like http or ftp. You'll never be able to have your router forward nc spam.foo.bar 1234 to port 1234 of box spam.foo.bar. What about for ssh? Any way to do it for that? Or will it consider that a man in the middle attack? Nathaniel -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] mapping hostname to a non routable ip addy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 05 December 2003 10:15 pm, Nathaniel McCallum wrote: What about for ssh? Any way to do it for that? Or will it consider that a man in the middle attack? You can forward any port you want. Just a matter of a couple commands. When you get a firewall set up, let us know what your using. Most firewalls. I use gShield, they have a config file for forwarding ports. Take just a minute for the config change, then rerun the script. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/0Vi1ld4MRA3gEwYRAtP8AJ9j49ThKBtwBKQv8fqQpqNLAnsySgCg5Jw2 5U4lfeIY0a8rqewvv4pxZ4c= =bXTZ -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] mapping hostname to a non routable ip addy
On Dec 5, 2003, at 11:19 PM, Jeff Smelser wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 05 December 2003 10:15 pm, Nathaniel McCallum wrote: What about for ssh? Any way to do it for that? Or will it consider that a man in the middle attack? You can forward any port you want. Just a matter of a couple commands. When you get a firewall set up, let us know what your using. Most firewalls. I use gShield, they have a config file for forwarding ports. Take just a minute for the config change, then rerun the script. I know about port forwarding. I don't want to forward a different port. I want to redirect data based upon packet destination rather than port. I'm really just trying to get free IP addys ;). Nathaniel -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] mapping hostname to a non routable ip addy
On Sat, 6 Dec 2003 00:12:44 +0100 mathieu perrenoud [EMAIL PROTECTED] wrote: On Friday 05 December 2003 23:46, Nathaniel McCallum wrote: On Dec 5, 2003, at 5:39 PM, Marius Mauch wrote: On 12/05/03 Nathaniel McCallum wrote: OK, here is the scenario. Gentoo router has one routable ip and the internal network is nat'ed. The routable ip has a domain that resolves to it, lets call it foobar.com. Internally (non-routable ips), there are hosts (FQDN=host1.foobar.com,host2.foobar.com). Is there anyway (perhaps iptables, but probably some other software) to automatically forward all traffic to the appropriate host from the outside? I know this has to be done at the packet level, but there are some hardware solutions for this, so I thought their might be something else out there... You can redirect traffic based on ports or IPs, but not on hostnames as that information is not contained in the IP header, only in some higher level protocols like HTTP. Yes, I'm aware of this. That is what I am wondering, if there is any program that actually checks the packets and forwards appropriate traffic... I think it has to be done on a per-protocol basis. For HTTP I would go for apache on the router and check the proxy and reverse_proxy directives. I don't think it's possible to do this at a more general level. And it's only possible to do this for protocols which encapsulate hostnames like http or ftp. You'll never be able to have your router forward nc spam.foo.bar 1234 to port 1234 of box spam.foo.bar. -- mathieu -- [EMAIL PROTECTED] mailing list Hi, I sugest looking in www.shorewall.net for PROXY-ARP feature. May be that could help. Bye. Rumen. -- [EMAIL PROTECTED] mailing list