On 26 Oct 2001, Adam Warner wrote: > On Fri, 2001-10-26 at 03:07, George Karaolides wrote: > > > Now to determine some more facts about the network geometry. I assume > > that machine R at your institution has one interface connected to the > > Internet, with a public IP address, and one on the institution's LAN with > > a private IP address. > > Just one public IP address. But after Code Red they unilaterally > firewalled all incoming connections, even to the Dept's web servers! > (something I had to alert people about). I'm not serving public content > on this machine.
OK, so machine R has one public IP address, routed through your institution's gateway/firewall. > It's well firewalled locally (iptables). I'm pretty sure no one will be > able to connect from anywhere else (I'm employing IP address checking, > port blocking and of course password protection). Ping is global but > that's because I believe people should be able to check if a machine > connected to a public IP address is functioning. Your security sounds OK, bit do look at some kernel settings in /proc. For example, enabling syncookies is a good idea, and disabling replies to broadcast pings: echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > > > Also, that the services you want to access are also on the institution's > > LAN. > > I think access to services is determined by network card mac address. > I think the following would work: 1. Set up an IP tunnel between machines H and R. Now I haven't done this before but I know it can be done. Look for "IP:tunneling" (CONFIG_NET_IPIP) in the kernel configuration options, under "Networking options". Quoting from the help on this: "This particular tunneling driver implements encapsulation of IP within IP, which sounds kind of pointless, but can be useful if you want to make your (or some other) machine appear on a different network than it physically is...check out http://anchor.cs.binghamton.edu/~mobileip/LJ/index.html"; which kind of sounds like what you need. As I said, I haven't tried this before, but I am virtually sure that you use this to set up a network interface representing the "entrance" of the tunnel. 2. Set up the routing table on machine H to route all traffic destined for your institution's network IP address space (get that from your friendly admin, if you haven't got it already) to use the tunnel interface. 3. On machine R, enable IP masquerading, with the tunnel interface as the "internal" interface and the machine's actual publicly available interface as the "world" interface. This should be the basis for your solution. The routing on machine H will make it access the machines at your institution through the tunnel and machine R, not the Internet. Masquerading on R will make those machines think they are being accessed by R instead of H, which is what you want. They will reply to R, and the demasquerading will then forward everything back to H. Linux networking magic at its best. I am also virtually sure you can build this to work for all machines in your private LAN at home, with machine H as gateway. Though I have no hands-on experience of this, I will, of course, try and help out with any questions of yours which might arise if you do try it, to the best of my ability. Do let me know how you get on! Best regards, George Karaolides 8, Costakis Pantelides St., tel: +35 79 68 08 86 Strovolos, email: [EMAIL PROTECTED] Nicosia CY 2057, web: www.karaolides.com Republic of Cyprus
