Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I have a LAN connection coming in my router, which has an outside IP of (we'll use these for examples) A.A.A.A1. My routers internal IP is 192.168.0.1. I have one box connected to the router, with IP 192.168.0.100.
Now, box can have multiple IPs assigned to that NIC.
Is there any way for me to 'route' another IP through the router, basically bypassing it entirely?
I want 1 IP thats currently assigned to the router, which puts box in the DMZ, and another IP to basically pass straight through to box.
Basically, box needs 2 external IPs somehow. I only have 1 LAN port to use, and the router is a requirement for other things, so I can't get rid of it.
I would guess that this is going to depend entirely on the router. Let's say, for a second, that you didn't have any hardware restrictions: multiple NICs, plus no restriction about what the router is connected to upstream. You would have a set-up that looks like this:
NIC A [NIC A WAN IP] -----------------------------.
Switch -------- WAN
NIC B [192.168.0.100] ----- [192.168.0.1] Router [router WAN IP]
The switch is a link layer device, so it's going to send packets to either the WAN port of your router, or to NIC A, based on ethernet address [AKA MAC address or HWaddress].
Your router is a Network layer device, as such, it will determine where packets are sent via IP address rather than by ethernet address.
Your question, then, is whether it's possible to emulate this setup on your router. My Linksys WRT54G has a feature called 'static routing', allowing specific routes from the router to a given LAN IP address... I think that this will do what you want it to, assuming that the router doesn't try to get too smart about what's happening at the link layer.
On my router this is available under [setup]->[advanced routing], and allows IP address, subnet mask and default gateway to be set up for up to 20 static routes.
This is one of those cases where a picture is worth a thousand words... that's why I put together the ascii art diagram of the network as I saw it.
If you can put together a sketch of how your network is set up, either as ascii art, or an attached picture (svg is a good option), that would help. Make sure that you show the IP address of each connection on both sides e.g.
You have a very interesting problem there. What you're trying to do is called SNAT (Static Network Address Translation). Unfortunately, your SOHO router almost certainly doesn't support SNAT (or multiple WAN IPs in any way). What you need to do is use a static route to get it to route packets for the public IP to your server's LAN IP. You then need to get your server to realize that those packets are for it.
The static route to set on the router is easy: network <public IP> netmask 255.255.255.255 gateway <LAN IP>. This will make it think that the LAN IP of the server is the next hop for packets destined for the public IP. In point of fact, that's exactly correct.
The second part (making the server realize that the packets addressed to the public IP are for it) is rather more complicated. I'm guessing that it'll involve creating a virtual Ethernet device. I'll fire up some VMs when I get home and play around with it.
You can subnet your network. Assign the regular IP and the virtual IP on different subnets. Then use the router to route between them.
You could also use a 10.xxx.xxx.xxx address for the virtual IP address.
However, as the routers output port is also a port, you don't have the isolation you should with one device. A computer in the DMZ should not have any interface in the LAN.
In the DMZ it is exposed to hostile traffic. It it is successfully compromised, the attacker has full access to your LAN. Even without being compromised, you are allowing internet traffic on the wire you use for the LAN which will eat up bandwidth. If there is a DOS attack for example, the attacker can deny LAN access as well as to the internet.
There is a type of scanning where a 3rd device is used (such as a printer), which could reveal to an attacker that the device is actually on the LAN, making you a more attractive target.
As jschiwal says, it's rather insecure to have a publicly visible host connected to your LAN. If that host is breached, it effectively makes the rest of your LAN public too. Most computers on LANs aren't secure enough for public visibility, so that can be a Very Bad Thing. You have been warned.
As it turns out, it's simpler than I thought. All you need to do in order to get your server to listen on the public IP is register it as a virtual interface on eth0. The command to do that is below. Replace '<public IP>' with the public IP you want it to listen on. I'm not a Debian user so I have no idea how to make its init scripts set that up for you. Someone else (you?) will have to figure it out.
As I said above, you then need to configure a static route on your router so it routes packets for the public IP to the server's private IP. When the server receives packets addressed to the public IP, it'll realize that IP belongs to one of its interfaces and handle them appropriately. The parameters of the route are network=<public IP>, netmask=255.255.255.255, gateway=<private IP>.
You have a very interesting problem there. What you're trying to do is called SNAT (Static Network Address Translation). Unfortunately, your SOHO router almost certainly doesn't support SNAT (or multiple WAN IPs in any way). What you need to do is use a static route to get it to route packets for the public IP to your server's LAN IP.
I looked up the d-link dir-628 for compatibility with OpenWRT and dd-WRT... unfortunately it runs a ubicom chip which doesn't seem to be supported by much. If you can't get the routing capabilities that you need from your router, it may be worth investing in a router which will support one of the open source firmwares. OpenWRT and dd-WRT are both Linux based, and as such will use iptables, which allow you to do pretty much any type of routing that you want. A Linksys WRT-54G (or whatever its successor is) goes for about 60 US dollars, I'm sure that you could do a lot better on Ebay.
We haven't discussed the issue that you run in to is getting a second public IP address from your ISP.
Another issue that wold bother me somewhat is the issue of security. As mentioned by others on this thread, having an publicly routable address in your LAN is a bad idea from a security stand-point... but even if you fix that, you still have to deal with the fact that both your virtual, publicly routable address, and the other IP address running through the same jack are both on the same box. Unless you set up some sort of chroot environment or a virtual box connected to the outside world, you risk having that box getting compromised, which will leave the rest of your LAN vulnerable.
If you can't get the routing capabilities that you need from your router, it may be worth investing in a router which will support one of the open source firmwares. OpenWRT and dd-WRT are both Linux based, and as such will use iptables, which allow you to do pretty much any type of routing that you want. A Linksys WRT-54G (or whatever its successor is) goes for about 60 US dollars, I'm sure that you could do a lot better on Ebay.
Come to think of it, you can probably do this more economically by investing in a 10/100 switch and a second ethernet card for your computer. Plug the switch between your router and ISP access point (cable modem/DSL modem/fiber optic jack...), then plug a cat5 between your second ethernet card and the switch. As long as your ISP will give you a second public IP address, you're all set at that point.