[nos-bbs] tun0 and more Linux routing commands

Jay Nugent jjn at nuge.com
Mon Apr 25 14:26:41 EDT 2011 

Greetings Skip (et al),

On Mon, 25 Apr 2011, George [ham] VerDuin wrote:

> How about revisting this topic Jay?
> 
> 
> On 02/15/2011 11:53 AM, Jay Nugent wrote:
> > Greetings,
> >
> >     Suggestion:
> >        - Assign the Linux box an IP on your LAN (192.168.1.88)
> >        - Assign the Linux end of the TUN interface another IP on your LAN
> >          (192.168.1.44)
> >
> >        On your gateway router to the Internet:
> >           - Port forward SSH to the Linux address (192.168.1.88)
> >             In this way you can remotely log onto your Linux machine to
> >             read mail, perform maintenance, play around.
> >
> >           - Assign the JNOS address (192.168.1.44) as the "DMZ Host".
> >             This lets everything *other* than SSH (which has been port
> >             forwarded elsewhere) to be automatically directed to the JNOS
> >             application (and into its own TCP/IP stack).  In this way ALL
> >             protocols including "IPIP Encapsulation (Protocol-4)" to go
> >             directly to JNOS.
> >
> > 
> >
> >
> When we apply the above design the following happens:
> 
>    1. When we port forward ssh to the Linux host stack we find joy in ssh.
>    2. When we include DMZ to the jnos stack, jnos becomes happy but we
>       lose ssh at the host.
> 
> It appears to us that DMZ applies absolutely to all traffic and the port 
> forward is lost.

   That is the fault of piss-poor code in some cheap-ass off-the-shelf
router.  Buy a better quality router.  There is no consistant fix for a
badly designed router, sorry...


> We find no way to force the ssh port forward to be processed prior to 
> the DMZ.

   All "properly" designed routers will pass *ALL* TCP ports and *ALL*
protocols toward the designated "DMZ Host".  And it will strip out any TCP
ports you specify and instead send them to the designated host (sending
ssh as a "port forward" to the Linux machine).

 
> As an alternative tactic, we don't seem to be able to selectively 
> forward IPIP protocol-4 to jnos stack.

   You are correct.  VERY FEW cheap-ass routers even understand Protocol-4
(IPIP).  So "ROUTING" (not "forwarding") that protocol toward a specific
host is oftentimes not even an available configuration option. But *most*
will understand "DMZ Host".

   I wouldn't trust a $30 car on the expressway any more than I would 
expect a $30 router to be capable of doing more advanced Networking.  Yaz 
gets whats yaz pays for...

 
> SO -- Is this a common issue and what alternatives permit access to both 
> Linux and JNOS?
> Replacing the gateway router is not an option.

   Then you are screwed.....sorry, life ain't fair...


      --- Jay WB8TKL

        () ascii ribbon campaign in
        /\ support of plain text e-mail
             
Train how you will Operate, and you will Operate how you were Trained.
+------------------------------------------------------------------------+
| Jay Nugent   jjn at nuge.com    (734)484-5105    (734)649-0850/Cell       |
|   Nugent Telecommunications  [www.nuge.com]                            |
|   Internet Consulting/Linux SysAdmin/Engineering & Design/ISP Reseller |
| ISP Monitoring [www.ispmonitor.org] ISP & Modem Performance Monitoring |
| Web-Pegasus    [www.webpegasus.com] Web Hosting/DNS Hosting/Shell Accts|
+------------------------------------------------------------------------+
  2:01pm  up 148 days, 22:09,  4 users,  load average: 0.03, 0.03, 0.00
-------------- next part --------------
_______________________________________________
nos-bbs mailing list
nos-bbs at tapr.org
https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs

More information about the nos-bbs mailing list