Re: Addressing a machine behind the router without port forwarding or DMZ
Hi Dotan,
On Sun, Apr 03, 2011 at 03:25:29PM +0300, Dotan Cohen wrote:
> Not a Debian-specific question, but I turn to the best brains that I know.
>
> Assuming a LAN with a router and three machines:
> 10.0.0.1 Router
> 10.0.0.2 Computer1
> 10.0.0.3 Computer2
> 10.0.0.4 Computer3
>
> The router sits on an outside IP address of 123.45.67.89. There is no
> DMZ or port forwarding assigned on the router to any of the other
> machines.
>
> Is there any way an individual from outside the LAN could access a
> resource (Apache for instance, or SSH) on Computer1 assuming that he
> knows Computer1's LAN IP address? Would this this be possible if he
> had access to Computer1 and could configure it somehow (without
> configuring the router)?
Not really. No matter what the individual does: it can only contact the
router on 123.45.67.89. If the router then throws away the traffic,
you're finished.
However, there are some tricks -- depending on the way how the router is
exactly configured: Assuming the router allows computer1 to communicate
to the internet (e.g: computer1 can send data in the internet, and the
router forwards the answer back to computer1), than it is possible: You
have to "cheat" the router such that the router believes "computer1
wants to connect to the outsider" inѕtead of "outsider wants to connect
to computer1".
A first example for this concept are protocols like active ftp: There,
the CLIENT opens a first connection (the control connection), but the
SERVER opens the data-connection: In order to forward active ftp via an
router, the router has to listen & understand the first connection, such
that it knows to which client the data-connection has to be forwarded.
(e.g. the linux iptables-firewall has a special module to support active
ftp-forwarding)
A full implementation of such a "cheating" is done by Skype. in your
example:
- computer1 asks an external server, whether someone wants to connect
to it.
- the individual informs the external server. the external server can
send this information to computer1, as the connection
"computer1<->external server" was opened by computer1 ==> router
allows it.
- computer1 sends a packet to the individual. This packet does not
contain any usefull data -- but is detected by the router as "computer1
speaks with individual". In addition, the networking details of the
packet (ip-adress, port,...) are sent to the external server, which
forwards them to the individual.
- now, the individual can ANSWER to this packet -- and from the point
of view of the router this is a connection opened by computer1 (and
NOT a connection opened by the individual) ==> probably allowed.
So in fact, when you do something in this lines, the router will not see
"individual from outside wants to connect to computer1" -- but:
"computer1 wants to connect to outside". Of course, the remaining
question is: does the router allow this connection?
And you need an external server to initiate the connection: somehow, the
individual has to learn the networking details of the initial packet...
The "external server" could be e.g. a mail server, which computer1
regularly checks for new mails...
Axel
Reply to: