On Sun, 13 Oct 2002 16:07:22 +0200 (CEST), Jean Francois Ortolo wrote: > I understand well now, the path between eth0 and eth1 is being made > by the forwarding instruction in my script. No, the path is created when the "default route" is created by pppd. eth0 (your DSL NIC) is only used internally by pppd. The path is from your router via ppp0 to the remote access server at your provider's. > Otherwise, pppd knows only about eth0, which is the interface > connected > to the ADSL modem. pppd knows nothing about eth1, so pppd is unable to > make eth0 and eth1 communicate between each other. pppd doesn't need to. It creates a default route to ppp0 when the DSL/PPPoE connection has been established. > I've badly exprimed myself. I meant 'connection request from the > Internet to port 113 through my router'. This kind of authentication > is required by some protocols/services, so the person inside my lan > which invokes this protocol/service, could authenticate himself. > > This authentication would be requested, after the protocol has been > initiated by a request for connection coming from an internal lan > computer to the Internet. > > The problem is: The request from the Internet to the port 113 > through my > router, will be addressed to the external IP of my router, so there is > two alternatives: > > 1) This new request for authentication towards port 113, is part of > the initial protocol connection. This way, the masquerading translates > the destination IP of the incoming packet ( external IP of my router > ), to the proper internal IP of the internal computer which initiated > the connection, then this computer well receives this request for > authentication, and is able to respond to it. > > 2) This new request for authentication towards port 113, is part of > a > entirely new connection request, so what makes the packet will be > redirected to the proper IP of the internal computer which initiated > the connection ? > In my case, the service/protocol, after having been requested from an > internal computer in the lan, to the Internet via my router, would > involve an incoming request for authentication, which should be > directed to the internal computer, the problem being to precisely > know, whether or not this incoming request for authentication is part > of an entirely new connection, or is part of the actual connection. > Forget about it when you have a LAN with private IP addresses and a router with IP Masquerading. You could only redirect port 113 to a single host in your LAN. I doubt you really need auth/113 and identd for the outside. It is common to reject external incoming connections to that port with -j REJECT --reject-with tcp-reset (that avoids time-outs upon connecting to mail servers).
Attachment:
pgp00148.pgp
Description: PGP signature
