Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
RE: [suse-security] Re: Emulate real ip's to access intranet hosts from outside
  • From: christian.burri@xxxxxxxxxx
  • Date: Wed, 13 Feb 2002 16:33:07 +0100
  • Message-id: <OFAEE80EED.89787EA1-ONC1256B5F.005415DA@xxxxxxxxxx>

Hi there,

I think it is not possible to do as you reqest: ---> ---> ---> --->

You could instead use port forwarding, but that
wont work for FTP afaik. For FTP you would set
up a proxy like SuSE's FTP Proxy Suite ie.

Furthermore I think its really not possible to
distinguish several servers running on one
site by DNS name. You would need more then
just one public IP for that. What you can however
distinguish without additional IPs is like, port number.

So ie it would work to have web server 1 on port 80
and webserver 2 on port 81. You could then point and to
the same IP (your public one), but then your clients
will have to supply a port number with theyr request,
ie or like,

My recommendation is:

Get yourself two public IPs.
You can then assign IP 1 to www1 and ftp1,
and assign IP 2 to www2 and ftp2.
You could for example load both public IPs
on your firewall (using IP aliases) and then
do a 1:1 NAT for each IP to the according
internal machine. So FTP would work
without a proxy and WWW would work without
a port forwarding.

Hope that helps

Chris Burri

/v\ L I N U X
// \\ >I know KungFu!!<
/( )\

Hi again!
Thanks for your quickly answers,

I think I hadn't explained enough clearly in the first mail.
The problem is the following:
I have a SINGLE public ip with an associated domain. In that host I have
a DNS server, mail server, web, etc. The important point is at the DNS.
What i'd like to do is that the firewall forward all the packets
independently of the destiny port, which can be any, to a host of the
intranet with a private ip. The rule for decide which packets go to what
host in the intranet is the name that the client refered to.
when I do a ftp to my DNS server would forward the
request to the host

I'd like to have a map like this: ---> ---> ---> --->

and so on
But Actually in the internet all that names lookup to
and of course the 192.168.x.x is never seen from the internet

I know that apache can manage vhosts and I could redirect to a intranet
host all the web traffic coming to, the same can be
done with wu-ftp or proftp where u can have multiple domains/dubdomains
and have different ftp root directorys depending on the name the client
used to contact it, and then I could set that roots pointing to nfs
mounted directories of the internal net, but what I'd like is that all
the traffic forward would depend on the name used by the client.

As I said it's not a port forwarding matter it would be a program which
could manage domain name vhosts and do some kind of bridging /
forwarding to the intranet depending on the name the client reffered.

So the idea is to emulate lots of real ips with just 1 public ip and 1
domain with all the subdomains I'd need.

Uh! I hope to have been clear enough this time, my English is not
perfect (I'm Spanish) so please let me know if u got the idea, ok?

Thanks a lot guys!

Ramon Acedo

< Previous Next >
This Thread
  • No further messages