Ted Harding wrote:
A couple of distinct questions.
Computers on a LAN are "behind" an ADSL modem/router which faces out to the Net.
Seen from outside, this router has IP address
PPP.QQQ.RRR.SSS
From inside the LAN it can be accessed either from the above address or from an "internal" IP address
192.168.1.1
On the LAN are sundry machines with IP addresses
192.168.1.yyy
or (on a subnet)
192.168.0.zzz
Question: Is there any way by which one can address one of the "internal" machines from outside (i.e. the Net).
Clearly, for instance,
telnet PPP.QQQ.RRR.SSS
would at best connect to the router (which does respond to telnet, by the way).
What I'm wondering is if there's anything like
telnet @PPP.QQQ.RRR.SSS!192.168.1.yyy
i.e. to "route" the telnet request for connection to the internal machine at 192.168.1.yyy through the externally visible address PPP.QQQ.RRR.SSS
What you want is "Port Forwarding". Tell your server to forward a port to an internal address, for example if you forward port 1023 to port 23 on 192.168.1.17 then you can do "telnet PPP.QQQ.RRR.SSS 1023" and get connected to the machine at 192.168.1.17 - though I'd advise using SSH (port 22) rather than telnet.
Home routers tend to only support a limited number of forwarded ports - and they may call it something different (servers,gaming, and a few other things have been seen). One way round this is to port forward SSH to just one machine, then use the port tunneling facilities of SSH - this is what I do to access stuff at home.
For example "ssh -l <yourname> -L 10023:192.168.1.17:23 PPP.QQQ.RRR.SSS" will allow you to use "telnet localhost 10023" to connect to the second machine. I have a script with all the options for multiple port tunnels and X support to save all the typing !
This one's a real Linux question!
Suppose the internal machines, instead of having static IP addresses set up on them, get dynamic IPs handed out by the router.
Then you're screwed !
If you have one linux box at a fixed address and port forward SSH traffic to that, then you can look at the leases and see where you machine is now and adjust the ssh options to suit. This will be hard if you let the router do the DHCP, but if you use ISCs DHCP server and turn on dynamic DNS updates to an internal zones then you just have to do a host lookup ...
% ssh -l <yourname> PPP.QQQ.RRR.SSS Password: simon@saffy:~> host backupserver backupserver.<homedomain> has address 192.168.0.143 simon@saffy:~> logout Connection to saffy.thehobsons.co.uk closed. % ssh -l <yourname> -L 15900:192.168.0.143:5900 PPP.QQQ.RRR.SSS Password: simon@saffy:~>
The above show an ssh login, check the address of a machine, then reconnect with a port forwarded to allow a VNC connection.
Another advantage of this, is that the other services are not exposed to the internet, so you only have the one ssh server which if you set it up right should be fairly secure.
Of course, there is always the option of setting up a VPN tunnel, but that's not something I've bothered with yet.
Simon