Re: Emulate real ip's to access intranet hosts from outside
Hi again! Thanks for your quickly answers, I think I hadn't explained enough clearly in the first mail. The problem is the following: I have a SINGLE public ip with an associated domain. In that host I have a DNS server, mail server, web, etc. The important point is at the DNS. What i'd like to do is that the firewall forward all the packets independently of the destiny port, which can be any, to a host of the intranet with a private ip. The rule for decide which packets go to what host in the intranet is the name that the client refered to. Example: when I do a ftp to ftp.mydomain.net my DNS server would forward the request to the host 192.168.1.10. I'd like to have a map like this: ftp1.mydomain.net --- 192.168.1.10 ftp2.mydomain.net --- 192.168.1.50 www1.mydomain.net --- 192.168.1.12 www2.mydomain.net --- 192.168.1.33 and so on But Actually in the internet all that names lookup to 213.1.2.3 and of course the 192.168.x.x is never seen from the internet I know that apache can manage vhosts and I could redirect to a intranet host all the web traffic coming to www2.mydomain.org, the same can be done with wu-ftp or proftp where u can have multiple domains/dubdomains and have different ftp root directorys depending on the name the client used to contact it, and then I could set that roots pointing to nfs mounted directories of the internal net, but what I'd like is that all the traffic forward would depend on the name used by the client. As I said it's not a port forwarding matter it would be a program which could manage domain name vhosts and do some kind of bridging / forwarding to the intranet depending on the name the client reffered. So the idea is to emulate lots of real ips with just 1 public ip and 1 domain with all the subdomains I'd need. Uh! I hope to have been clear enough this time, my English is not perfect (I'm Spanish) so please let me know if u got the idea, ok? Thanks a lot guys! Ramon Acedo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Emulate real ip's to access intranet hosts from outside
I think it is worth pointing out that port-forwarding has security implications. If one of your services is compromised (even if it is not running as root) the attacker now has a good amount of access to your local/internal network. I would only forward ports when absolutely needed and only to a service that I absolutely trusted. Phil -Original Message- From: Ramon Acedo [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: 13 Feb 2002 15:33:01 +0100 Subject: Re: Emulate real ip's to access intranet hosts from outside Hi again! Thanks for your quickly answers, I think I hadn't explained enough clearly in the first mail. The problem is the following: I have a SINGLE public ip with an associated domain. In that host I have a DNS server, mail server, web, etc. The important point is at the DNS. What i'd like to do is that the firewall forward all the packets independently of the destiny port, which can be any, to a host of the intranet with a private ip. The rule for decide which packets go to what host in the intranet is the name that the client refered to. Example: when I do a ftp to ftp.mydomain.net my DNS server would forward the request to the host 192.168.1.10. I'd like to have a map like this: ftp1.mydomain.net --- 192.168.1.10 ftp2.mydomain.net --- 192.168.1.50 www1.mydomain.net --- 192.168.1.12 www2.mydomain.net --- 192.168.1.33 and so on But Actually in the internet all that names lookup to 213.1.2.3 and of course the 192.168.x.x is never seen from the internet I know that apache can manage vhosts and I could redirect to a intranet host all the web traffic coming to www2.mydomain.org, the same can be done with wu-ftp or proftp where u can have multiple domains/dubdomains and have different ftp root directorys depending on the name the client used to contact it, and then I could set that roots pointing to nfs mounted directories of the internal net, but what I'd like is that all the traffic forward would depend on the name used by the client. As I said it's not a port forwarding matter it would be a program which could manage domain name vhosts and do some kind of bridging / forwarding to the intranet depending on the name the client reffered. So the idea is to emulate lots of real ips with just 1 public ip and 1 domain with all the subdomains I'd need. Uh! I hope to have been clear enough this time, my English is not perfect (I'm Spanish) so please let me know if u got the idea, ok? Thanks a lot guys! Ramon Acedo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Emulate real ip's to access intranet hosts from outside
Hi, Ramon Acedo wrote: I'd like to have a map like this: ftp1.mydomain.net --- 192.168.1.10 ftp2.mydomain.net --- 192.168.1.50 www1.mydomain.net --- 192.168.1.12 www2.mydomain.net --- 192.168.1.33 that´s hard, tricky and not always possible. most protocols (e.g. ftp, telnet, http without host-header) don´t transmit the fqdn. they use only the ip. so you have to have a look at the dns-server. someone is asking for the ip of ftp2.mydomain.net and immediately after that, someone is connecting via ftp to your server. then you can assume, that he connected to ftp2.mydomain.net. with protocols that transmit the fqdn (eg. http with host-header) this is no problem. they send a request, in the request you can see the virtual host and you can forward the request to a certain server in the intranet. there are some other tricks, but the easiest way is to order more ips ;) if you get from your provider just one, then you often (at least in germany) are not allowed to connect more than one client, often you are even not allowed to connect a server. bye Ralf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Emulate real ip's to access intranet hosts from outside
It seems to accomplish the example you posed, you need 2 external IPs. Say they were 1.1.1.1 and 1.1.1.2 for example. Then in DNS you could do: ftp1 - 1.1.1.1 ftp2 - 1.1.1.2 www1 - 1.1.1.1 www2 - 1.1.1.2 And on your firewall do: 1.1.1.1 port 21 - 192.168.0.10 1.1.1.2 port 21 - 192.168.0.50 1.1.1.1 port 80 - 192.168.0.12 1.1.1.2 port 80 - 192.168.0.33 Or, alternatively, you can Virtual host the 2 www ports. But the ftps, if you want them to both be on port 21, need to have to separate IPs. The way I do it at work is use port 21 for anon ftp and another port for registered users ftp. That way the rules look like: 1.1.1.1 port 21 - machine 1 port 21 1.1.1.1 port 2121 - machine 2 port 21 Hope this helps. -rishi On 13 Feb 2002, Ramon Acedo wrote: Hi again! Thanks for your quickly answers, I think I hadn't explained enough clearly in the first mail. The problem is the following: I have a SINGLE public ip with an associated domain. In that host I have a DNS server, mail server, web, etc. The important point is at the DNS. What i'd like to do is that the firewall forward all the packets independently of the destiny port, which can be any, to a host of the intranet with a private ip. The rule for decide which packets go to what host in the intranet is the name that the client refered to. Example: when I do a ftp to ftp.mydomain.net my DNS server would forward the request to the host 192.168.1.10. I'd like to have a map like this: ftp1.mydomain.net --- 192.168.1.10 ftp2.mydomain.net --- 192.168.1.50 www1.mydomain.net --- 192.168.1.12 www2.mydomain.net --- 192.168.1.33 and so on But Actually in the internet all that names lookup to 213.1.2.3 and of course the 192.168.x.x is never seen from the internet I know that apache can manage vhosts and I could redirect to a intranet host all the web traffic coming to www2.mydomain.org, the same can be done with wu-ftp or proftp where u can have multiple domains/dubdomains and have different ftp root directorys depending on the name the client used to contact it, and then I could set that roots pointing to nfs mounted directories of the internal net, but what I'd like is that all the traffic forward would depend on the name used by the client. As I said it's not a port forwarding matter it would be a program which could manage domain name vhosts and do some kind of bridging / forwarding to the intranet depending on the name the client reffered. So the idea is to emulate lots of real ips with just 1 public ip and 1 domain with all the subdomains I'd need. Uh! I hope to have been clear enough this time, my English is not perfect (I'm Spanish) so please let me know if u got the idea, ok? Thanks a lot guys! Ramon Acedo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Emulate real ip's to access intranet hosts from outside
IMHO, putting a box on the interweb has security implications. But port-forwarding in itself isn't exactly a security problem. I use port forwarding to forward packets do a dmz, so on the off-chance that I am r00t'd, all they have access to is the dmz. They still would have to be real sneaky to get into my internal network, unless they can exploit the firewall which isn't running any services. From my understanding, using port forwarding into a dmz is a very good idea. Running services on your firewall is a much greater risk than port forwarding, since if the firewall is r00t'd, then they control the access point to the interweb and can sniff user/pass at will, and do whatever else they feel inclined to do. Not trying to start a huge thread or a flame, but pointing out that port-forwarding in itself doesn't have any security implications, it's the implementation of port-forwarding that can have security implications. My .03, adjusted for inflation Steven exitus acta probat fide, sed cui vide -Original Message- From: Phillip Hofmeister [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 13, 2002 6:42 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Emulate real ip's to access intranet hosts from outside I think it is worth pointing out that port-forwarding has security implications. If one of your services is compromised (even if it is not running as root) the attacker now has a good amount of access to your local/internal network. I would only forward ports when absolutely needed and only to a service that I absolutely trusted. Phil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Emulate real ip's to access intranet hosts from outside
Hi again! Thanks for your quickly answers, I think I hadn't explained enough clearly in the first mail. The problem is the following: I have a SINGLE public ip with an associated domain. In that host I have a DNS server, mail server, web, etc. The important point is at the DNS. What i'd like to do is that the firewall forward all the packets independently of the destiny port, which can be any, to a host of the intranet with a private ip. The rule for decide which packets go to what host in the intranet is the name that the client refered to. Example: when I do a ftp to ftp.mydomain.net my DNS server would forward the request to the host 192.168.1.10. I'd like to have a map like this: ftp1.mydomain.net --- 192.168.1.10 ftp2.mydomain.net --- 192.168.1.50 www1.mydomain.net --- 192.168.1.12 www2.mydomain.net --- 192.168.1.33 and so on But Actually in the internet all that names lookup to 213.1.2.3 and of course the 192.168.x.x is never seen from the internet I know that apache can manage vhosts and I could redirect to a intranet host all the web traffic coming to www2.mydomain.org, the same can be done with wu-ftp or proftp where u can have multiple domains/dubdomains and have different ftp root directorys depending on the name the client used to contact it, and then I could set that roots pointing to nfs mounted directories of the internal net, but what I'd like is that all the traffic forward would depend on the name used by the client. As I said it's not a port forwarding matter it would be a program which could manage domain name vhosts and do some kind of bridging / forwarding to the intranet depending on the name the client reffered. So the idea is to emulate lots of real ips with just 1 public ip and 1 domain with all the subdomains I'd need. Uh! I hope to have been clear enough this time, my English is not perfect (I'm Spanish) so please let me know if u got the idea, ok? Thanks a lot guys! Ramon Acedo
Re: Emulate real ip's to access intranet hosts from outside
I think it is worth pointing out that port-forwarding has security implications. If one of your services is compromised (even if it is not running as root) the attacker now has a good amount of access to your local/internal network. I would only forward ports when absolutely needed and only to a service that I absolutely trusted. Phil -Original Message- From: Ramon Acedo [EMAIL PROTECTED] To: debian-security@lists.debian.org Date: 13 Feb 2002 15:33:01 +0100 Subject: Re: Emulate real ip's to access intranet hosts from outside Hi again! Thanks for your quickly answers, I think I hadn't explained enough clearly in the first mail. The problem is the following: I have a SINGLE public ip with an associated domain. In that host I have a DNS server, mail server, web, etc. The important point is at the DNS. What i'd like to do is that the firewall forward all the packets independently of the destiny port, which can be any, to a host of the intranet with a private ip. The rule for decide which packets go to what host in the intranet is the name that the client refered to. Example: when I do a ftp to ftp.mydomain.net my DNS server would forward the request to the host 192.168.1.10. I'd like to have a map like this: ftp1.mydomain.net --- 192.168.1.10 ftp2.mydomain.net --- 192.168.1.50 www1.mydomain.net --- 192.168.1.12 www2.mydomain.net --- 192.168.1.33 and so on But Actually in the internet all that names lookup to 213.1.2.3 and of course the 192.168.x.x is never seen from the internet I know that apache can manage vhosts and I could redirect to a intranet host all the web traffic coming to www2.mydomain.org, the same can be done with wu-ftp or proftp where u can have multiple domains/dubdomains and have different ftp root directorys depending on the name the client used to contact it, and then I could set that roots pointing to nfs mounted directories of the internal net, but what I'd like is that all the traffic forward would depend on the name used by the client. As I said it's not a port forwarding matter it would be a program which could manage domain name vhosts and do some kind of bridging / forwarding to the intranet depending on the name the client reffered. So the idea is to emulate lots of real ips with just 1 public ip and 1 domain with all the subdomains I'd need. Uh! I hope to have been clear enough this time, my English is not perfect (I'm Spanish) so please let me know if u got the idea, ok? Thanks a lot guys! Ramon Acedo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Emulate real ip's to access intranet hosts from outside
Hi, Ramon Acedo wrote: I'd like to have a map like this: ftp1.mydomain.net --- 192.168.1.10 ftp2.mydomain.net --- 192.168.1.50 www1.mydomain.net --- 192.168.1.12 www2.mydomain.net --- 192.168.1.33 that´s hard, tricky and not always possible. most protocols (e.g. ftp, telnet, http without host-header) don´t transmit the fqdn. they use only the ip. so you have to have a look at the dns-server. someone is asking for the ip of ftp2.mydomain.net and immediately after that, someone is connecting via ftp to your server. then you can assume, that he connected to ftp2.mydomain.net. with protocols that transmit the fqdn (eg. http with host-header) this is no problem. they send a request, in the request you can see the virtual host and you can forward the request to a certain server in the intranet. there are some other tricks, but the easiest way is to order more ips ;) if you get from your provider just one, then you often (at least in germany) are not allowed to connect more than one client, often you are even not allowed to connect a server. bye Ralf
Re: Emulate real ip's to access intranet hosts from outside
It seems to accomplish the example you posed, you need 2 external IPs. Say they were 1.1.1.1 and 1.1.1.2 for example. Then in DNS you could do: ftp1 - 1.1.1.1 ftp2 - 1.1.1.2 www1 - 1.1.1.1 www2 - 1.1.1.2 And on your firewall do: 1.1.1.1 port 21 - 192.168.0.10 1.1.1.2 port 21 - 192.168.0.50 1.1.1.1 port 80 - 192.168.0.12 1.1.1.2 port 80 - 192.168.0.33 Or, alternatively, you can Virtual host the 2 www ports. But the ftps, if you want them to both be on port 21, need to have to separate IPs. The way I do it at work is use port 21 for anon ftp and another port for registered users ftp. That way the rules look like: 1.1.1.1 port 21 - machine 1 port 21 1.1.1.1 port 2121 - machine 2 port 21 Hope this helps. -rishi On 13 Feb 2002, Ramon Acedo wrote: Hi again! Thanks for your quickly answers, I think I hadn't explained enough clearly in the first mail. The problem is the following: I have a SINGLE public ip with an associated domain. In that host I have a DNS server, mail server, web, etc. The important point is at the DNS. What i'd like to do is that the firewall forward all the packets independently of the destiny port, which can be any, to a host of the intranet with a private ip. The rule for decide which packets go to what host in the intranet is the name that the client refered to. Example: when I do a ftp to ftp.mydomain.net my DNS server would forward the request to the host 192.168.1.10. I'd like to have a map like this: ftp1.mydomain.net --- 192.168.1.10 ftp2.mydomain.net --- 192.168.1.50 www1.mydomain.net --- 192.168.1.12 www2.mydomain.net --- 192.168.1.33 and so on But Actually in the internet all that names lookup to 213.1.2.3 and of course the 192.168.x.x is never seen from the internet I know that apache can manage vhosts and I could redirect to a intranet host all the web traffic coming to www2.mydomain.org, the same can be done with wu-ftp or proftp where u can have multiple domains/dubdomains and have different ftp root directorys depending on the name the client used to contact it, and then I could set that roots pointing to nfs mounted directories of the internal net, but what I'd like is that all the traffic forward would depend on the name used by the client. As I said it's not a port forwarding matter it would be a program which could manage domain name vhosts and do some kind of bridging / forwarding to the intranet depending on the name the client reffered. So the idea is to emulate lots of real ips with just 1 public ip and 1 domain with all the subdomains I'd need. Uh! I hope to have been clear enough this time, my English is not perfect (I'm Spanish) so please let me know if u got the idea, ok? Thanks a lot guys! Ramon Acedo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Emulate real ip's to access intranet hosts from outside
IMHO, putting a box on the interweb has security implications. But port-forwarding in itself isn't exactly a security problem. I use port forwarding to forward packets do a dmz, so on the off-chance that I am r00t'd, all they have access to is the dmz. They still would have to be real sneaky to get into my internal network, unless they can exploit the firewall which isn't running any services. From my understanding, using port forwarding into a dmz is a very good idea. Running services on your firewall is a much greater risk than port forwarding, since if the firewall is r00t'd, then they control the access point to the interweb and can sniff user/pass at will, and do whatever else they feel inclined to do. Not trying to start a huge thread or a flame, but pointing out that port-forwarding in itself doesn't have any security implications, it's the implementation of port-forwarding that can have security implications. My .03, adjusted for inflation Steven exitus acta probat fide, sed cui vide -Original Message- From: Phillip Hofmeister [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 13, 2002 6:42 AM To: [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Subject: Re: Emulate real ip's to access intranet hosts from outside I think it is worth pointing out that port-forwarding has security implications. If one of your services is compromised (even if it is not running as root) the attacker now has a good amount of access to your local/internal network. I would only forward ports when absolutely needed and only to a service that I absolutely trusted. Phil
Re: Emulate real ip's to access intranet hosts from outside
-Original Message- From: Ramon Acedo [EMAIL PROTECTED] Date: Sun, 10 Feb 2002 23:39:20 +0100 Subject: Emulate real ip's to access intranet hosts from outside ---snip- I just want that when someone try to access to host1.mydomain.net from the internet my firewall (and dns server) forward the request to host1.local which has the private ip 192.168.1.20. With what service? ssh? or webservice? or what? I've looking for that in the DNS Howto's but haven't found a solution. I've been thinking of a mix between nat iptables and special dns resolving, may be with 2 name server's one for the intranet and the other one for the internet. you could easy make the hostname that will resolve to 192.168.1.20 for instance, but that is not routable on the internet. We need more info for us to help you with your problem. Greetz, Ivo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [suse-security] Emulate real ip's to access intranet hosts from outside
I'd like to access to the hosts of my intranet with private ip's from the outside. I have the following net: One or few weeks ago the same questions was up and the list concluded the discussion with the result, that this best way seems to be to ssh-portforwarding - that means, you'll use putty or such a tool to connect yourself to your firebox and the ssh-parameters will make the sshd forward all your paket with the private ip of your firebox. And the best ist - all is encrypted. IMPORTANT - there are some exploits for known vulnerabilities of older ssh-version - use the actual and ensure to force sshd to use protocol 2 (/etc/.ssh/sshd_config). And check your iptables-filter for allowed incoming/outgoing ssh-paket (port22/tcp) Just see the achieves of this list and watch 4 the VNC discussion a few weeks ago to learn more. Your Michael
Re: Emulate real ip's to access intranet hosts from outside
-Original Message- From: Ramon Acedo [EMAIL PROTECTED] Date: Sun, 10 Feb 2002 23:39:20 +0100 Subject: Emulate real ip's to access intranet hosts from outside ---snip- I just want that when someone try to access to host1.mydomain.net from the internet my firewall (and dns server) forward the request to host1.local which has the private ip 192.168.1.20. With what service? ssh? or webservice? or what? I've looking for that in the DNS Howto's but haven't found a solution. I've been thinking of a mix between nat iptables and special dns resolving, may be with 2 name server's one for the intranet and the other one for the internet. you could easy make the hostname that will resolve to 192.168.1.20 for instance, but that is not routable on the internet. We need more info for us to help you with your problem. Greetz, Ivo
Re: [suse-security] Emulate real ip's to access intranet hosts from outside
I'd like to access to the hosts of my intranet with private ip's from the outside. I have the following net: One or few weeks ago the same questions was up and the list concluded the discussion with the result, that this best way seems to be to ssh-portforwarding - that means, you'll use putty or such a tool to connect yourself to your firebox and the ssh-parameters will make the sshd forward all your paket with the private ip of your firebox. And the best ist - all is encrypted. IMPORTANT - there are some exploits for known vulnerabilities of older ssh-version - use the actual and ensure to force sshd to use protocol 2 (/etc/.ssh/sshd_config). And check your iptables-filter for allowed incoming/outgoing ssh-paket (port22/tcp) Just see the achieves of this list and watch 4 the VNC discussion a few weeks ago to learn more. Your Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Emulate real ip's to access intranet hosts from outside
Hi! I'd like to access to the hosts of my intranet with private ip's from the outside. I have the following net: A real domain name server managed by the computer which has the real ip, so I can set all the names and subdomains that I need. A firewall wich is the same host than the dns server I told before, I've got iptables in that host and it masquerades my intranet so the other hosts with private ip's use it as default gateway. I just want that when someone try to access to host1.mydomain.net from the internet my firewall (and dns server) forward the request to host1.local which has the private ip 192.168.1.20. I've looking for that in the DNS Howto's but haven't found a solution. I've been thinking of a mix between nat iptables and special dns resolving, may be with 2 name server's one for the intranet and the other one for the internet. But before starting I'd like to know if there is a sensible solution out there unknown by me. Thanks! Ramon Acedo
Re: Emulate real ip's to access intranet hosts from outside
* Ramon Acedo ([EMAIL PROTECTED]) [020210 14:43]: I just want that when someone try to access to host1.mydomain.net from the internet my firewall (and dns server) forward the request to host1.local which has the private ip 192.168.1.20. I've thought about this problem, but I don't think there's a clean solution for it on a general case. You may be able to get this working for specific services (like www, for instance) by using virtual hosting and proxying. The reason I don't think it will work in the general case is really caching. To make that clearer, let me explain how I thought the solution would have to be set up: All of the names would have to resolve to the external address. The nameserver would have to pay attention to who looked up what names and make sure that the kernel could recognize incoming connections from those folks as RELATED and DNAT them to the internal hosts. The reasons I don't think it will work: generally, a client will ask a nearby nameserver to resolve a name instead of doing it itself. This means that the initial request to your nameserver will come from the client's nameserver, not the client itself. Furthermore, this result could get cached so that other clients would never be seen by your nameserver. Also, you probably (hopefully) have secondary nameservers, so they'd have to somehow forward the information to your primary host. I think you'll see once you start to think about it some more that this way just really will not work. (Or maybe I've entirely misunderstood your question ;) Let me know if you come up with anything useful. If you decide to scope it down and want help with just an apache setup, I'm sure you can get help on the list. good times, Vineet -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume/ -- Satan laughs when we kill each other. Peace is the only way. pgpboLInPXbPZ.pgp Description: PGP signature
