Re: HOWTO Ping LAN???

Thu, 29 Jul 2004 08:42:48 -0700 

On Thu, Jul 29, 2004 at 10:27:05AM -0400, Hakim Singhji wrote:
> Hi Matt,
> 
> You say that the only way I will be able to connect to my network is by tunneling.  
> This is not what I want to do, I thought I may be able to SSH, Telnet, www, etc. 
> from the outside to my default gateway and have the gateway pass SSH, Telnet, 
> www., or any other request to the machine on the private network by including the 
> "localhost.defaultgateway.domain.org" or something to that affect.
> 
> Does NAT Overloading only go one way???


Essentially, yes.  What you're after is called 'port forwarding'
(which is actually a class of tunnelling methods).

What you can't do in the sort of setup you describe is ssh(1) to the
gateway machine and have it connect you to some arbitrary machine on
your internal network.  The outside world doesn't "know" anything
about the arrangement of your private network: which machine should
the gateway box forward the incoming connection to?  All it sees is a
TCP syn packet sent to port 22 on its internet interface.

Going the other way round -- where the internal machine initiates the
connection -- works because you can match up the response 'ACK' packet
to the outgoing 'SYN' packet

In order to allow remote access to your private machines you've
somehow got to introduce a mechanism to permit the gateway machine to
know which of the internal machines you want to connect to.  You can
set up non-standard ports on the NAT gateway to forward connections to
internal machines: eg.

     Port:  Destination:
     ----------------------
     2201   192.168.0.1:22
     2202   192.168.0.2:22
     2203   192.168.0.3:22

(see natd(8) 

but a) you'ld have to do that for each service on each machine you
want connectivity to, and b) it's not going to work in the specific
case of ssh(1) specifically, because ssh(1) attempts to verify the
identity of the host it connects to against the host keys presented to
it during the SSH connection. 

Probably the easiest thing to do is log into your gateway machine via
ssh(1) and then take a second hop from there to your internal
machines.  telnet(1) is generally a bad idea for security
reasons. ping(8) which operates via ICMP echo request is completely
out: ICMP doesn't have the concept of port numbers at all, so there's
no way to clue the NAT gateway into which machine you want to
communicate with.

        Cheers,

        Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

Attachment: pgpdfHI8Byvo2.pgp
Description: PGP signature

Reply via email to