iptables forwarding question

Hi all,

I currently have a home network which has a Slackware server as a
firewall for my cable internet. The computers behind the firewall
have a 192.168.0.# IP.

I am trying to set the network up so somebody could go to
"computerX.mydomain.com", where computerX is a computer on the private
network. The reason being mainly so I can ssh into my home machine
from off-site and do whatever.

So, my big question is, where should I be looking to do this? I
currently have a small iptables setup going to forward all the machine
out to the internet, and I assume it is some iptables setting I need
done, but I'm not too sure.

All help is greatly appreciated.
Ryan

Ryan Barnard wrote:

> Hi all,
>
> I currently have a home network which has a Slackware server as a
> firewall for my cable internet. The computers behind the firewall
> have a 192.168.0.# IP.
>
> I am trying to set the network up so somebody could go to
> "computerX.mydomain.com", where computerX is a computer on the private
> network. The reason being mainly so I can ssh into my home machine
> from off-site and do whatever.

Not possible, but see below...

> So, my big question is, where should I be looking to do this? I
> currently have a small iptables setup going to forward all the machine
> out to the internet, and I assume it is some iptables setting I need
> done, but I'm not too sure.

Let me see if I understand:

- You have multiple internal machines, named computer*
- You have one (1) public IP, NATted to all of these machines
- You want to be able to use regular SSH to connect to any one of these
machines.

What I said - not possible.

See, SSH uses port 22 - of which you have only one.

So how is the firewall to decide which of those machines gets the use of
port 22 at any time ?

It doesn't - you have to tell it which one to forward SSH to.

A far better alternative would be, to assign your internal machine a static
IP address (you do not say whether it's static or dhcp) and forward any and
all SSH traffic to that IP - this is quite simple in iptables:

- forward from * to IP on port 22 all NEW connections
- reply and forward from * to IP all ESTABLISHED connections

This is all you need to forward SSH from the outside to one machine.

If you want to be able to SSH to *any* machine, it is a far better idea to
use different port numbers for each machine, say 1022 for #1, 1122 for #2,
1222 for #3 etc.

Then map those ports to the correct internal IP's port 22 with iptables, or
alternatively just run SSH on those ports - SSH doesn't care what port you
use.

The latter makes for a simpler iptables config.

It is simply not possible to use DNS names on a single public IP to map to
different machines, since SSH doesn't use hostnames - it uses the IP
address, and you have only one public IP.

One of the few protocols that DO allow this is http 1.1; you can use it to
run multiple virtual servers off of one IP.

If you're feeling adventurous, you might investigate the DNS "srv"
functionality; I know that this allows you to map a given service on a
domain to any port on any machine, but not many DNS servers implement this
yet, and it only works for entire domains, not hosts.

(M$ DS protocols use this technique)

--
Jeroen Geilman

Gentoo 1.4 rc4

On Sat, 20 Sep 2003 12:28:42 +0000, Jeroen Geilman
<(E-Mail Removed)> wrote:

>Ryan Barnard wrote:
>
>> Hi all,
>>
>> I currently have a home network which has a Slackware server as a
>> firewall for my cable internet. The computers behind the firewall
>> have a 192.168.0.# IP.
>>
>> I am trying to set the network up so somebody could go to
>> "computerX.mydomain.com", where computerX is a computer on the private
>> network. The reason being mainly so I can ssh into my home machine
>> from off-site and do whatever.
>
>Not possible, but see below...
>
>> So, my big question is, where should I be looking to do this? I
>> currently have a small iptables setup going to forward all the machine
>> out to the internet, and I assume it is some iptables setting I need
>> done, but I'm not too sure.
>
>Let me see if I understand:
>
>- You have multiple internal machines, named computer*
>- You have one (1) public IP, NATted to all of these machines
>- You want to be able to use regular SSH to connect to any one of these
>machines.
>
> ..... some lines cut
>
>If you want to be able to SSH to *any* machine, it is a far better idea to
>use different port numbers for each machine, say 1022 for #1, 1122 for #2,
>1222 for #3 etc.

Why not configure just SSH from outside and use SSH-port-forwarding
to reach the others? So you don't have to set as much ports

>The latter makes for a simpler iptables config.

This would be even more simple.

>It is simply not possible to use DNS names on a single public IP to map to
>different machines, since SSH doesn't use hostnames - it uses the IP
>address, and you have only one public IP.

Seen from the outside the DNS resolution is not possible. I did never
check whether the SSH server is converting the name to the IP if one
uses ssh-tunneling. If DNS resolution is done at the sshd-side than an
internal DNS could resolve the names.

-wolfgang-