RE: [TCLUG:10864] IP Masquerading

["Carl Patten" <cpatte@trimodalinc.com>]

> -----Original Message-----
> From: Brian J. Ackermann [mailto:brianj@subrad.com]
>
> Quick question, just so I make sure I understand this right.
>
> If I were to set up my firewall box with masquerading, would I be able to
> connect to an 'inside' box.  I'm certain that 'inside' boxes can get 'out'
> and have info sent back to them (browsing WWW, for instance.)
> But, could I
> have a machine 'inside' called, 'www.bbros.com' on our masq'd subnet
> (192.168.6.144,. perhaps) and then point my browser from an 'outside' host
> toward 'www' and have the masq resolve this at all?

Yes, you can do this.  One way is to set up a static port forwarding in the
NAT table of your firewall for the server and service you want to provide.
A common example is for an internal web server.  You'd map your web server's
port 80 and internal IP to port 8080 and external IP of the firewall.  That
way someone outside your firewall can browse to www.bbros.com:8080 and
connect to your internal web server.  You can also just map port 80 to port
80, but that will prevent you from running any httpd service on the firewall
itself.

Huge disclaimers apply here.  It's opening up a pipe through your firewall
so security is entirely dependent on your web server's security.  Also I
haven't done this with Linux tools, and my one attempt to try it with a
Cisco 675 router failed miserably (see archive: "Beverly Hills ate my NAT
table").

--
Carl Patten
Systems Administrator
Trimodal Inc.
<definitely not speaking for the company on this one>