[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> The application is called JNOS. Now here is what I have in the
> simplest terms I can come up with.
Your explanation boils down to a picture like this:
+-----+
| ISP |
+-----+
|
| ppp0 (205.1.1.20)
+------------+ (192.168.1.2) +--------+
| Linux Masq |--------------------------| JNOS |
+------------+ slip0 (192.168.1.1) +--------+
I like pictures. They describe things so succinctly. :)
Anyway, your configuration here is no different from any other masq
setup; they just normally have an eth0 interface, in place of your slip
interface. But the basic task of forwarding and masquerading packets is
the same. My initial confusion stemmed from the way you seemed to be
doing something so different from what other people do; but you're not. :)
> Now my question is... My JNOS program contacts a computer on the
> internet (using this masquerading) and tells it to contact me at my
> currently used address (with masquerading this would look like the
> ppp0 address?).
Well, this is a good question, isn't it? Your JNOS program doesn't know
anything about how it's being masq'd, right? So how can it know to tell
a remote machine to use some dynamic IP address instead of its own
interface's IP address? This is the basic problem that makes
applications so difficult when masq is involved.
> If that computer at the distant end now initiates a telnet, ping, ftp,
> intended to reach my JNOS program, how can I have my JNOS program
> receive this incoming packet?
Good question. How can your masq box possibly know that a ping packet
that it just received was supposed to be destined for a machine behind
your masq firewall? It might be a coincidence that the machine happened
to ping you. Your masq box can't know that it was in response to some
other packet sent over one of the masq tunnels.
Similarly, if a remote machine initiates a telnet request, how is the
masq box to know that the machine isn't trying to reach its own telnet
port? What information is there to tell it that the packet is really
destined for another machine?
The answer to the first question is usually that your remote machine
must only look at the IP address that it sees on the socket. That is,
if it uses the IP address from a getpeername() system call, it will
obtain the IP address of your masq box, and there will be some hope that
it can somehow return traffic back to you by sending to that IP on a
separate connection. However, if your application somehow encapsulates
the IP address and sends it within a packet, the masq box will not know
to alter that data in transit (without a specially-coded protocol
module) and the remote machine will receive an unrouteable address
(192.168.1.2) which it will be completely unable to send a packet to.
It seems that far too many protocols (games and such) are written this
way. Sigh.
To answer the second question, the answer is clear: port forwarding.
There is the old, obsolete ipautofw, and the newer, more correct
ipportfw. You can redirect a single port, or several ports, from your
masq box, and send them to the hidden host behind the firewall. But
this will only work desirably if you redirect a port that is not used by
the masq box for its own services (such as telnet).
For instance, you could redirect port 2323 on the masq box, to port 23
on the JNOS machine. Then a system that opens a telnet session to port
2323 on your masq box's IP address will find itself talking to your
JNOS's telnet daemon. You could take a similar approach with other
services that your JNOS box offers.
> Is it possible to redirect ALL packets coming in from just that one
> distant computer on ppp0 so they are always passed to my JNOS
> application?
Ipautofw could conceivably be made to do this, but it will severely
disrupt legitimate traffic to the masq box itself if you configure it
this way. My considered opinion is that the masq system was not really
designed with this type of problem in mind.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
