Date: Thu, 29 Jul 2004 16:42:09 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Hakim Singhji <Hakim.Singhji@nychhc.org> Cc: freebsd-questions@freebsd.org Subject: Re: HOWTO Ping LAN??? Message-ID: <20040729154209.GA80531@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20040729T102705Z_C5AF00120003@nychhc.org> References: <20040729T102705Z_C5AF00120003@nychhc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--KsGdsel6WgEHnImy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Jul 29, 2004 at 10:27:05AM -0400, Hakim Singhji wrote:
> Hi Matt,
>=20
> You say that the only way I will be able to connect to my network is by t=
unneling. =20
> This is not what I want to do, I thought I may be able to SSH, Telnet, ww=
w, etc.=20
> from the outside to my default gateway and have the gateway pass SSH, Tel=
net,=20
> www., or any other request to the machine on the private network by inclu=
ding the=20
> "localhost.defaultgateway.domain.org" or something to that affect.
>=20
> Does NAT Overloading only go one way???
Essentially, yes. What you're after is called 'port forwarding'
(which is actually a class of tunnelling methods).
What you can't do in the sort of setup you describe is ssh(1) to the
gateway machine and have it connect you to some arbitrary machine on
your internal network. The outside world doesn't "know" anything
about the arrangement of your private network: which machine should
the gateway box forward the incoming connection to? All it sees is a
TCP syn packet sent to port 22 on its internet interface.
Going the other way round -- where the internal machine initiates the
connection -- works because you can match up the response 'ACK' packet
to the outgoing 'SYN' packet
In order to allow remote access to your private machines you've
somehow got to introduce a mechanism to permit the gateway machine to
know which of the internal machines you want to connect to. You can
set up non-standard ports on the NAT gateway to forward connections to
internal machines: eg.
Port: Destination:
----------------------
2201 192.168.0.1:22
2202 192.168.0.2:22
2203 192.168.0.3:22
(see natd(8)=20
but a) you'ld have to do that for each service on each machine you
want connectivity to, and b) it's not going to work in the specific
case of ssh(1) specifically, because ssh(1) attempts to verify the
identity of the host it connects to against the host keys presented to
it during the SSH connection.=20
Probably the easiest thing to do is log into your gateway machine via
ssh(1) and then take a second hop from there to your internal
machines. telnet(1) is generally a bad idea for security
reasons. ping(8) which operates via ICMP echo request is completely
out: ICMP doesn't have the concept of port numbers at all, so there's
no way to clue the NAT gateway into which machine you want to
communicate with.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--KsGdsel6WgEHnImy
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFBCRrQiD657aJF7eIRAsRsAKCZsPb5jer2+q0WNLZtknsQzWMG3wCggqW/
6+VCz4KENhmcejDU7gXrSRU=
=r7GL
-----END PGP SIGNATURE-----
--KsGdsel6WgEHnImy--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040729154209.GA80531>