• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 251
  • Last Modified:

acces to a station behind firewall (linux)

Hi,

I've RedHat5.2 and 2 Nic 3com905B TX.
This computer is used as a firewall with IP Masquerading (my internal network is 192.9.200.0) and my external is 195.28.192.0)
when a computer (from inside) go to the Internet, his IP add is changed to 195.28.192.254.
(This is the IP add of the external firewall's NIC)

This works fine, but now,I have to access (from outside) to a computer located behind the firewall.

How can do that plz?
0
jacoby
Asked:
jacoby
  • 2
  • 2
1 Solution
 
bcwhiteCommented:
You cannot make a connection from the outside in.

What you can do, however, is use something like "redir" to forward a port on the firewall to a port on a machine inside the firewall.  For example, the following would allow you to telnet to "insidemachine" with the command "telnet firewall 2323"

  redir insidemachine 2323 23 &

WARNING:  This is a _HUGE_ security hole and largely defeats the purpose of having a firewall.

A better solution is to allow SSH connections to the firewall and set up limited user accounts on it.  Users can ssh from their machine to the firewall and use it to forward ports on their local machine on to the internal network using the "-L" and "-R" options of ssh (see man page for full details).

Other options would include a high-security dial-up modem, a specialized route from the internet to the internal machine (which would then need to be somewhat isolated from the internal network), or some form of virtual-private-networking (which is beyond the scope of this answer).

Be _very_ sure you understand all the security aspects involved before you try to implement this.  You're specifically asking how to put holes in a firewall, and this is generally a bad idea.

-- Brian
0
 
jacobyAuthor Commented:
The purpose is to access to a database. So i just want to be able to telnet to one station
Is it unsecure only for the station you called 'insidemachine' or for my whole 'intranet'?.

I didn't find redir command on my system.
But if it's so unsecure, i'll not use it.
Thanks,
Let me know,

Fred.
0
 
bcwhiteCommented:
Both.  It's much easier to protect a single point (the firewall) than multiple machines.  If you let outside access to a second machine, you need to monitor it as well.  Plus, should that second machine be compromised, it is likely to have better access to your internal network than the firewall would thus posing a bigger threat to the rest of your network.

It isn't "redir" that is insecure.  What's insecure is allowing a way to bypass your firewall.

-- Brian
0
 
jacobyAuthor Commented:
Thanks Brian, I'll try to find another way to do what I need.

Fred.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now