acces to a station behind firewall (linux)


I've RedHat5.2 and 2 Nic 3com905B TX.
This computer is used as a firewall with IP Masquerading (my internal network is and my external is
when a computer (from inside) go to the Internet, his IP add is changed to
(This is the IP add of the external firewall's NIC)

This works fine, but now,I have to access (from outside) to a computer located behind the firewall.

How can do that plz?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You cannot make a connection from the outside in.

What you can do, however, is use something like "redir" to forward a port on the firewall to a port on a machine inside the firewall.  For example, the following would allow you to telnet to "insidemachine" with the command "telnet firewall 2323"

  redir insidemachine 2323 23 &

WARNING:  This is a _HUGE_ security hole and largely defeats the purpose of having a firewall.

A better solution is to allow SSH connections to the firewall and set up limited user accounts on it.  Users can ssh from their machine to the firewall and use it to forward ports on their local machine on to the internal network using the "-L" and "-R" options of ssh (see man page for full details).

Other options would include a high-security dial-up modem, a specialized route from the internet to the internal machine (which would then need to be somewhat isolated from the internal network), or some form of virtual-private-networking (which is beyond the scope of this answer).

Be _very_ sure you understand all the security aspects involved before you try to implement this.  You're specifically asking how to put holes in a firewall, and this is generally a bad idea.

-- Brian

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jacobyAuthor Commented:
The purpose is to access to a database. So i just want to be able to telnet to one station
Is it unsecure only for the station you called 'insidemachine' or for my whole 'intranet'?.

I didn't find redir command on my system.
But if it's so unsecure, i'll not use it.
Let me know,

Both.  It's much easier to protect a single point (the firewall) than multiple machines.  If you let outside access to a second machine, you need to monitor it as well.  Plus, should that second machine be compromised, it is likely to have better access to your internal network than the firewall would thus posing a bigger threat to the rest of your network.

It isn't "redir" that is insecure.  What's insecure is allowing a way to bypass your firewall.

-- Brian
jacobyAuthor Commented:
Thanks Brian, I'll try to find another way to do what I need.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.