|
midrange.com
On Tue, 16 Jul 2002, Vernon Hamberg wrote:
>
> Hmm, I'm getting a question---what if you want to allow access to 2
> servers, both with the same protocol(s)? If you have NAT, you don't give
> them your internal address, do you? I mean, those are often blocked out in
> the big bad Internet, I believe.
A private ("internal") address cannot be routed from the Internet. It's
not because they're "blocked out." (Not in the sense that a firewall
blocks an IP, anyway) rather they're reserved for use in private networks,
and therefore none of the routing tables on the internet backbone have
routes assigned for them.
Many companies are using those same exact internal IPs on their intranets,
so they're not unique and cannot be resolved to a single machine.
>
> And you don't have the luxury of setting up gateways (routes) based on
> destination and subnet, as we do on the 400.
>
If you can't set up routines based on destination and subnet, you're not
using TCP/IP. IP addresses, subnet masks, destinations and gateways are
the core of the protocol.
> This is similar to something I'm trying to do at work. (Yes, we have to do
> it more securely - someday!) But I have an iSeries with a public address
> (mask of 255.255.255.248 from our ISP) that is our development box. This
> subnet is connected to our intranet with a LinkSys router. All developers
> are behind the NAT function of this router. I've set up forwarding for port
> 4200 (STRCODE's default) to my PC. Will I muck things up by having
> additional entries on the same port but to different machines?
If you have a netmask of 255.255.255.248, that means that you've got
6 public IP addresses. Since one of them is probably assigned to your
router, you still have 5 public addresses that you can use.
Therefore, you can have the same port mapped to 5 different machines
without causing problems. (one for each address) Assuming, of course,
that your router supports it.
My company does exactly this. We've got 5 public addresses, and NAT is
set up to route each address to a different internal server. We can have
as many machines as we like doing outgoing connections as we like, but
we can only run the same service (server-side) on 5 different machines...
> I have a
> route on the 400 for 192.168.0.0 mask 255.255.255.0 with next hop being the
> side of the router that is on the same subnet as the 400. BTW, the default
> route for the 400 goes through the DSL modem.
Isn't 192.168.0.0 your LAN? Unless you've got that divided into multiple
subnets, you shouldn't need a route. Your local LAN will be routed
automatically, it will only forward to your router if the dest IP is not
within the netmask of your ethernet adapter.
>
> I suspect we really need a more robust, flexible firewall/proxy/NAT to
> do what we want (I show some of my ignorance there <g>).
>
Each TCP/IP packet contains a dest addr, dest port and a source addr and a
source port. You can't really control the source addr & port, since that's
the machine it's coming from, and needs to be the same in order for system
to send packets back. So, really all it has to go on is the dest
address & port. Doesn't matter how "robust" the router is, it needs to be
able to forward the packet based on that information alone.
You see what I'm saying? The destination address & port combination has
to be mapped to a single place...
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
