LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-27-2017, 06:39 PM   #1
fbeye
Member
 
Registered: Aug 2017
Posts: 49

Rep: Reputation: Disabled
IP Aliasing; Static IP from ISP Dynamic IP for LAN


First I am unsure if these is possible and second I did search best to my abilities as to not repeat and “Solved” question.

I am wondering if I am able to assign a Static IP with specific outside access on specific ports and then an internal LAN IP for various applications with no outside port access.

This stems from my Samba server where I want different access from the I-Net and just Internal access via LAN.

Also, I just want to learn how to.

Any suggestions? Or would this work the exact same way as aliasing LAN ip’s?
 
Old 09-27-2017, 07:47 PM   #2
jefro
Moderator
 
Registered: Mar 2008
Posts: 21,877

Rep: Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615
Depending on distro and maybe the nic card you should have a few ways to do it.

https://wiki.debian.org/NetworkConfiguration has an example.

A round about way that should still work I think. https://superuser.com/questions/1754...signed-by-dhcp

Others may have ideas too.
 
Old 09-28-2017, 11:30 AM   #3
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
I'm not sure I understand your question completely.

If you are talking, and these are only examples, changing a public IP to a Private IP then use IPTABLES for this.

Example:

8.5.2.46 -> 10.2.3.4

Code:
iptables -t nat -A PREROUTING -i eth0 -d 8.5.2.46 -j DNAT --to-destination 10.2.3.4
 
Old 09-29-2017, 06:31 PM   #4
fbeye
Member
 
Registered: Aug 2017
Posts: 49

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by lazydog View Post
I'm not sure I understand your question completely.

If you are talking, and these are only examples, changing a public IP to a Private IP then use IPTABLES for this.

Example:

8.5.2.46 -> 10.2.3.4

Code:
iptables -t nat -A PREROUTING -i eth0 -d 8.5.2.46 -j DNAT --to-destination 10.2.3.4
I honestly am not even certain what I am thinking I want is a legitimate scenario.

I own 5 static Ip's

1 to router / LAN for home
1 to Linux email server
1 to my web server
1 I want to go to my Samba server...

I want a static ip for external (internet) use for a certain share but I also want a LAN share using the ip from the routers LAN (192.168.0.x) for its own share. I am assuming that by default my static is configuration will be separate from the LAN subnet so was wondering do I need to add an eth0:1 for LAN ip so that I can allow various programs to use the different ip's?

Yah, weird question. I don't even know
 
Old 09-30-2017, 03:56 AM   #5
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680

Rep: Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373
Probably best if you start by describing how your LAN is set up and how you are making use of the 4 internet-routable IP addresses you already use.
 
Old 09-30-2017, 01:04 PM   #6
fbeye
Member
 
Registered: Aug 2017
Posts: 49

Original Poster
Rep: Reputation: Disabled
Ok

X.x.x.151
X.x.x.152
X.x.x.153
X.x.x.154
X.x.x.155

.151 is my Router/Gateway address which also serves out the 192.168.0.x for my LAN (TV, Phones, XBox, MS Pc)
.152 is my Funtioning Slack Mail Server w/ it’s registered Domain
.153 is my Soon to be functioning WWW Server w/ it’s own Domain
.154 is the Samba Server w/ it’s own Domain that I have access from the outside world (hotel, friend or just st work bored) using its own Samba Share
.155 is unused.

My question is if I can add an eth0:1 alias of let’s say 192.168.0.66 from my Router to allow access from my Samba Server to my LAN to have access to its own wide open share. I assume that being that the Samba Box has a STATIC IP that it is not part of the Routers (.151) LAN Subnet?

I mean maybe I am not thinking big enough about a Routers functionality or how Subnets work I just assume that a static IP can’t talk to another static IP’s LAN Subnet.
 
Old 09-30-2017, 01:43 PM   #7
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,460

Rep: Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828
Wide open share? SMB/CIFS (samba) open to the internet is considered a very bad idea and a huge security risk. I would suggest using a VPN, cloud server or ssh/sftp as some better options to share files.
 
Old 09-30-2017, 02:10 PM   #8
fbeye
Member
 
Registered: Aug 2017
Posts: 49

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by michaelk View Post
Wide open share? SMB/CIFS (samba) open to the internet is considered a very bad idea and a huge security risk. I would suggest using a VPN, cloud server or ssh/sftp as some better options to share files.
That is what I was saying; the “Internet” access to the IP has a limited / restricted access to read / write but NO execute/delete with other “failsafes”. The “all access open” is currently set for LAN Only which is my 4 computers and TV and is restricted to ONLY access among the LAN IP’s for that open share.

Internet access has no access to that.
 
Old 09-30-2017, 03:29 PM   #9
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,460

Rep: Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828
Do you know what protocol version your TV is using? Despite encryption, SMB signing and fail safe methods I would still be reluctant to open up SMB/CIFS ports to the internet.
 
Old 09-30-2017, 03:52 PM   #10
fbeye
Member
 
Registered: Aug 2017
Posts: 49

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by michaelk View Post
Do you know what protocol version your TV is using? Despite encryption, SMB signing and fail safe methods I would still be reluctant to open up SMB/CIFS ports to the internet.

Even on a LAN where only 3 LAN IP’s have access? And when I say “open access” I just mean to that one directory so I can, when working in different rooms, modify existing files and make new and read... only in that LAN Share.
The Internet Samba Share is only read and write (new) but not execute or modify and that allows only 2 very small subnets that I control elsewhere.

As far as my TV I know not specifically.. Really it’s just my nvidis Shiekd TV Box and an Amazon TV Box where I update Kodi etc from my Samba Share or stream movies from my share database.
 
Old 09-30-2017, 04:46 PM   #11
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,460

Rep: Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828Reputation: 5828
Granted we know nothing about your network configuration or your exact samba configuration etc and I might be a bit paranoid since it is basically a Microsoft product (SMB/CIFS protocol) there could be other vulnerabilities.
 
Old 09-30-2017, 04:53 PM   #12
fbeye
Member
 
Registered: Aug 2017
Posts: 49

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by michaelk View Post
Granted we know nothing about your network configuration or your exact samba configuration etc and I might be a bit paranoid since it is basically a Microsoft product (SMB/CIFS protocol) there could be other vulnerabilities.
No I totally understand.

I have a TP-Link AD7200 with everything closed except the minimal ports I needed opened. On both Linux machines I am using AlienBobs generated rc.firewall and both are ALL-CLOSED /DROP except the specific IP’s (external and lan).
I am also running a modified Fail2ban which has a multitude of connection attempt sequences blocked.
Aside from there’s are always vulnerabilities I would like to (ignorantly?) think I have some decent safeguards up.

I mean be it both LAN and External ips (other than incoming email which allows most but my postfix is pretty solid with ban lists and attempts etc using Fail2ban) any9ne who is allowed in my boxes have to be in my firewall.

I hope that comes across as humble and genuine, I truly am receiving advice openly.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Static ip from my ISP use raj47 Linux - Networking 7 04-05-2012 06:09 AM
Can ISP Static IP be used by another ISP depam Linux - Networking 1 07-23-2007 12:55 PM
Dynamic IP to Static Temujin_12 *BSD 2 06-10-2005 05:58 PM
Static vs Dynamic Big Al Linux - Networking 2 12-08-2003 04:10 PM
DNS, Dynamic IP address and and ISP Erik_kron Linux - Networking 4 11-17-2002 12:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration