Providing a Public Service from a Private Network

From Zanecorpwiki

Jump to: navigation, search

The scenario: you have a host attached to your private network. Common if you have a NAT-ing firewall. You want the host to provide some service to the outside world like HTTP(S) (maybe for SVN?) or FTP, whatever. Assuming that your firewall has or gets traffic directed from a public IP and your firewall uses iptables, you do: 

#open port in the firewall for incoming packets
iptables -I INPUT -d lt;public ipgt; -p tcp --dport lt;incoming portgt; -j ACCEPT
#set up dynamic routing between the public and private address
iptables -t nat -A PREROUTING -d lt;public ipgt; -p tcp --dport lt;portgt; -j DNAT --to lt;private ipgt;:lt;portgt;
#open up port for outgoing packets
iptables -I FORWARD -d lt;private ipgt; -p tcp --dport lt;portgt; -j ACCEPT

Variations and notes:

  • the 'public IP' is actually just the outside facing IP, it may of course be a private IP, as would be the case in certain DSL configurations wherein the modem is reflecting a public IP to a private IP
  • to translate all packets, effectively putting the internal host on a public IP, leave out the port specs. I.e., leave off '--dport' and the port after the ':' in the '--to' parameter
  • the incoming port (--dport) and the outgoing port (after ':' in '--to') need not be the same port
  • if the IPs match, you can re-route on the same machine; this is useful for shifting ports which allows one to run services under non-root accounts (binding them to high ports), but still provide the service on the default (low) port
Retrieved from "http://www.zanecorp.com/wiki/index.php/Providing_a_Public_Service_from_a_Private_Network"
Personal tools
NEW CHANGED