Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The example above nats all the requests arriving at the external interface of the Linux router to an internal webserver at port 8080.
If you need something more specific I am glad to help you out just state more info, and in case you might wonder where to get excellent information examples and tutorials about IPTABLES, check out this tutorial it is the one tutorial I recommend most and it is the one tutorial that catapulted me into the world of iptables.
Apart from the example rule ALInux have mentioned, you got enable (echo 1 >> /proc/sys/net/ipv4/ip_forward) packet forwarding at your kernel & you got to make sure that local ip address to whom you are forwarding these packets should have your linux router's LAN IP as its gateway.
If you incase opt for using 3 different public ips at your LAN boxes (with bridging being done at your router/modem) then you do not need any port forwarding in this case. The basic usage of port forwarding or packet forwarding or tunelling or ip forwarding comes when you have a limitation of nos of public ips. In this case every single port of this real public ip serve us as another public ip(logically). For example; suppose i only have 1 real ip & i want to host webserver, ftp server, terminal server(services) & i have all of these 3 services running at physically different boxes, so with port forwarding i would map port 80 of my real ip to LAN-hosted webserver & for ftp server i would map 21 port of my real-ip to the other different LAN-hosted ftp server further as i got to make my internet users do remote logon with terminal services; i'll map 3389 port of my real ip to terminal server hosted inside my LAN.
In the other case; if i would have had 3 public ip's then i would make them physically available at those LAN hosted boxes by adding another ethernet interface & hence no PORT FORWARDING.
But only one Public ip is physically present in the lan card
May be other two Public ips are virtual
Until & unless either you confirm you have got these other two real ips as virtual or you create them & see packets coming to them; you cant expect iptables to do any static NATing for you for these 2 other real ips.
Like the way you have mapped(bridging) one of your real ip to your LAN card, you got to map other also or if you do not want to perform these steps(as you have stated in your last post); you got to do NATing at your DSL router/modem. You got to tell your a/dsl modem/router to forward all the packets recieved at your other two real ips to forward to some LAN box or this box.
You are describing a situation where you have a WAN zone, and LAN network and a DMZ zone with a public web server and an ftp server. I would recommend using three interfaces, one for each zone, or configure those servers as bastion hosts in the Internet zone and place the FC firewall between the internet zone and the LAN. The two servers each having the IP address assigned to them that the ISP provided. The third IP address could then be NAT'ed like you would for network sharing. In other words, don't have a LAN-hosted webserver unless it is only used inside the LAN.
Besides security concerns, you also want to keep heavy traffic out of the LAN.
I think that this would be a much safer configuration.
Code:
LAN ZONE DMZ ZONE EXTERNAL ZONE
Lanhost-1--------| WebServer-----|----------- Firewall ----- Internet
Lanhost-2--------|---- Nat Router --| FTP Server----| |
Lanhost-3--------| | |
Lanhost-4--------| ----------------------------------|
Instead of a Telnet server, using different ports for ssh to differentiate between local hosts would be a better Idea. Never use telnet, unless you are just using the client program and you are connecting to the device directly through a dedicated terminal port, such as on a Cisco router for example. If you want to use TightVNC Remote desktops, you can also configure each host to use a different port. This is often done when you instead have several thin clients connecting to a central application server for example. If you want to use ftp on a host on LAN, consider using sftp instead. You have the ssh ports open anyway.
Use one public IP address for the Web Server. If FTP is on another server, use the second IP address for that and NAT the third for the LAN hosts. This could be done in the Firewall, but having a second NAT router or firewall would be safer.
Otherwise mistake in the Firewall could leave your LAN naked to attack. The Web Server and the FTP server could also have their own internal firewalls. The more onion like layers of security the better.
firewall set up so that only the the port they serve is open.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
