-   Linux - Networking (
-   -   public IP on internal network (

minty33 12-03-2012 05:32 PM

public IP on internal network
This is probably a silly question but I never used a public IP before except forwarding the one my ISP gave me. The question is I am going to run another Linux distro as a router inside a DMZ. What needs to be configured? Does the gateway routes just know its a public address and update its routing table when I attach the Linux router to it? Little background on what I'm doing. First I can't port forward on the gateway even knowing it would be easier. I am hosting several xen guests on one server and am using NAT to reach the internet from them. I need to reach these guests via ssh though remotely. Since I have only one public IP other than my ISP's router and for unmentioned reasons i can't do it on that device I Decided to make another guest act as a router to the other guests and do the port forwarding for me. I read that the Dom0 in xen should get a private IP and the virtual router should get the public IP for security reasons. This way remotely I can:
Ssh user@publicipforvrouter:uniqueport where the unique port is forwarded to the guest vm configured to use that port for ssh. My question is how do I use a public IP on an internal network this way? Does anything on the gateway need to know this internal router is a public address or is that dynamic. I'll simplify say the gateway is public IP and internal vrouter is public IP how does this work? Even setting up Linux as a router when I assigns it a static IP do I just use the public IP or do I need to tell it its public. I hope I make sense.

vorbote 12-03-2012 09:40 PM

By definition, the host(s) that is(are) run in the DMZ have public address(es). I'd suggest you reformulate.

But... If I guess correctly, what you want to do is something like this:

1.) Expose the ssh server of a low security host, that, say, only has the ssh server and nothing more. 2.) From there you do proxied connections to other internal hosts. For this you need to: a.) Make sure there is an entry in the routing tables of your router and hosts to bridge the disparate network segments. b.) Do a proxied connection with something like netcat. As in this ssh_config snippet:

Host xenhost
StrictHostKeyChecking no
Port 22
User root # You will be logged in with your personal credentials, this gives you the privilege for the next line
ProxyCommand ssh externalhost nc %h %p

minty33 12-03-2012 10:04 PM

It's a work study project. I need to give next years Unix students all their own virtual machines they can perform admin tasks on. So they can do work from home they need to access their personal image from home via ssh. The IT dept is separate from work study so I can't ask them to do anything on the gateway. They are providing me with one server and one public address for it and that box goes in their DMZ. So I need to access these 15 guest images through ssh on this server which will be running xen. I figured I need to also make an image to do the routing between itself and the other guest OS's. I know what your saying a machine in the DMZ has a public IP. In a way it will in my schemes just it will be a guest working as a router not the physical machine. I read that the xen Dom0 shouldn't get a public IP for security reasons. Yet I know xen hypervisors are in DMZ's all the time without the hyperviser Dom0 getting a public IP and the guests having public IP's. Maybe I'm not understanding your answer. What exactly is the proxied connection between my virtual router with the public IP and my other private IP guests. I also notice you call it xenhost and direct it to port 22 on the guest. If I have many guests I can't use port 22 on more than one right. How will it know which private IP machine I'm trying to reach. The only way I know is to forward ssh requests using unique ports for each private IP machine via my virtual router with the public address. By public address I mean an inside global address one i can remote to directly so the IT dept's gateway needs no configuring/forwarding to reach it if that clears it up.

vorbote 12-04-2012 07:27 AM

[I apologize for being so picky but, could you stop the stream-of-thought style? You are no Cormac McCarthy).

Randomly answering some of your questions:

1. When a machine is in the DMZ, it has a LAN address that is mapped to an external IP through a point-to-point circuit (See for all the dirty details). Your realhost (I call realhost, the OS running on top of the naked hardware) where the Dom0 resides doesn't need to use that IP.

2. Thus you can assign the DMZ address to the virtual machine that works as router for the other VMs in the realhost.

3. Each virtual machine is a host in its own right with its own IP address. So, I ask: Why do you believe you can only use port 22 to a single host? See the next answer.

4. Was that ssh_config snippet unclear? It uses netcat and some OpenSSH internal variable substitution to redirect the connection to a given host. Whatever port you use depend on how you configure each OpenSSH server.

5. To give secured access you can ask each person for a copy of the public part of an ssh keypair and install in the authorized_keys file in the account you are giving access. You have to place the key in the proxy host and in the target virtual machines. Now, you can create an account for each person or have them share a login account; I'm not so trusting myself. You have to disable password logins in the server, of course.

But this doesn't scale. The alternatives would be to use either Kerberos and OTP passwords (ugly complicated stuff, works great after you set it up, don't do it if you are pressed with time), or use x509 certificates with a central PKI. I have no experience with the latter and it is not too well documented, but I'd go with this solution nonetheless.

6. Read the OpenSSH documentation. The manual pages are very comprehensive!

vorbote 12-04-2012 07:34 AM

BTW, have you read this document on Xen networking yet?

minty33 12-04-2012 08:18 AM

Thanks for the detailed answers. I really appreciate it. I don't know a lot of this I'm a first semester student. I don't even get a networking class till the spring. As far as your point 3. I am under that impression probably because I don't fully understand your proxy set up. Not because your nuclear but because I'm probably not there yet. I have only port forwarded ssh on my linksys router before. If I forward a port 22 request from my public IP then that request is only directed to one box. If I have a second box how would I forward to 22 on said box if I only have one public IP that's routable? It's the same situation at school all my guests except the virtual router have private IP's so I assume since the request for ssh is made remotely then I need to use the public IP with ssh so if I use the 22 port only how will the router know what internal machine I want for each particular ssh request since the private IP isn't in the packet anywhere I'm aware of. Is it clear to you why I think that. Maybe that's why you propose the netcat proxy solution but as I said I don't fully understand it.
Oh yea I did read the xen networking doc on not the citric site. That one reinforced the fact my guests with private IP's are unreachable from internet without forwarding on the gateway. The one you sent looks more detailed so I'll give it a read. Thanx again.

vorbote 12-06-2012 08:02 AM

In the setup I proposed you, you let the inner gateway and router, a VM itself, to do all the routing and user access control to the other VMs in the system. As such, you can either redirect port 22 to the gateway or, better yet, give it the public address and have the host running the virtualization stack acquire a private address in the LAN space with DHCP or a static address if the netadmin considers it convenient.

Netcat is a a very powerful tool; the ssh proxying command deflects a connection done to a hostname that the gateway gives as its own in the DNS to a VM in the inner pool by IP address. And on the matter of authentication, you could explore using LDAP to hold passwords and use password authentication in the inner hosts (A starting point is IBM Redbooks: Understanding LDAP - Design and Implementation, and here is a short conceptual intro).

minty33 12-06-2012 10:11 AM

Thanks alot. That is a lot more clear to me, especially netcat. Thanks for the links to.

minty33 12-08-2012 10:46 AM

Amitesh I would start a separate thread but actually i see that question allot already. I'm pretty sure the answer is that it is normal and for security reasons. Here is a response from one such thread.

"All good firewalls/routers (such as Cisco) will reject external traffic that states it's coming from a non-routable (private) IP address as it looks as if someones attempting to spoof the source of the request...

If you have a dedicated internal DNS server (such as in an AD domain) you can create a new forward lookup zone in DNS (or if you're using your internet FQDN, just create a host record) and create a 'WWW' host record to point to the LAN IP address of your web server.

If this is not possible, simply map the domain name to LAN IP address in your 'hosts' file."

jschiwal 12-09-2012 01:48 AM

Deleted the amitesh post for spam. There was enough context in minty33's post for the reply to still make sense so I didn't delete it as well.

All times are GMT -5. The time now is 12:00 PM.