[TriLUG] No Good Deed Goes Unpunished

Greg Brown gwbrown1 at gmail.com
Tue Nov 15 09:29:04 EST 2005 

> Let's say you want to run a web server.  Don't you have to somehow
> convince the ISP that you are THE customer who should get port 80
> requests?  Or am I missing something.
>
> --

The ISP is going to provide you with a valid, routeable IP address
that can be reached from anywhere on the Internet.  Around these parts
this is common, up North you get a 10.x.x.x address unless you go
"business class" that is still DHCP.

Anyway, let's assume you have a valid IP address and the service
provider has provided a cable modem or DSL router for your use. 
Depending on the provider the device will be a layer 2 device that
will assign whatever is plugged into the router/modem the valid,
routeable address or the device may be a layer 3 device that will take
the address for itself and assign DHCP address, most likely on the
192.168.x.x range, for whatever is plugged into the back of the
device.  If you have a layer 3 device you will have to change the
configuration to a layer 2.  Once that is done whatever you plug into
the router/modem will receive the valid address.  (this can be taken a
step further by registering the device with dyndns, or any dynamic dns
service - this allows you to assign a name to the valid, routeable
address that will update automatically when a new DHCP address is
received from the service provider.  Very handy)

So now plug the firewall into the modem/router and it gets the valid,
routeable address.  At this point anyone on the Internet can hit the
firewall via any protocol.  In most cases the firewall will not have
any Internet facing services just to keep things safe and secure. 
>From here you can start to do your inbound NAT stuff.  For my m0n0wall
I'll say the following:

Any internet traffic coming from port 8022 on the Internet I want to
pass that to 192.168.17.22 port 80 on my wired lan side.

(this happens to be an Axis 206W webcam I have running at the beach). 
So now any request to http://cphatteras.dyndns.org:8022 goes from the
Internet to my webcam on port 80 behind the firewall.  Give it a try.

Now if I put another webcam, this time an Axis 205, I can do the same thing:

Internet traffic over port 8021 I forward to 192.168.17.21 port 80
http://cphatteras.dyndns.org:8021

Does that make sense?

Greg

More information about the TriLUG mailing list