FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

LinkBack Thread Tools
Old 04-03-2011, 12:43 PM
Axel Freyn
Default Addressing a machine behind the router without port forwarding or DMZ

Hi Dotan,
On Sun, Apr 03, 2011 at 03:25:29PM +0300, Dotan Cohen wrote:
> Not a Debian-specific question, but I turn to the best brains that I know.
> Assuming a LAN with a router and three machines:
> Router
> Computer1
> Computer2
> Computer3
> The router sits on an outside IP address of There is no
> DMZ or port forwarding assigned on the router to any of the other
> machines.
> Is there any way an individual from outside the LAN could access a
> resource (Apache for instance, or SSH) on Computer1 assuming that he
> knows Computer1's LAN IP address? Would this this be possible if he
> had access to Computer1 and could configure it somehow (without
> configuring the router)?
Not really. No matter what the individual does: it can only contact the
router on If the router then throws away the traffic,
you're finished.

However, there are some tricks -- depending on the way how the router is
exactly configured: Assuming the router allows computer1 to communicate
to the internet (e.g: computer1 can send data in the internet, and the
router forwards the answer back to computer1), than it is possible: You
have to "cheat" the router such that the router believes "computer1
wants to connect to the outsider" inѕtead of "outsider wants to connect
to computer1".

A first example for this concept are protocols like active ftp: There,
the CLIENT opens a first connection (the control connection), but the
SERVER opens the data-connection: In order to forward active ftp via an
router, the router has to listen & understand the first connection, such
that it knows to which client the data-connection has to be forwarded.
(e.g. the linux iptables-firewall has a special module to support active

A full implementation of such a "cheating" is done by Skype. in your
- computer1 asks an external server, whether someone wants to connect
to it.
- the individual informs the external server. the external server can
send this information to computer1, as the connection
"computer1<->external server" was opened by computer1 ==> router
allows it.
- computer1 sends a packet to the individual. This packet does not
contain any usefull data -- but is detected by the router as "computer1
speaks with individual". In addition, the networking details of the
packet (ip-adress, port,...) are sent to the external server, which
forwards them to the individual.
- now, the individual can ANSWER to this packet -- and from the point
of view of the router this is a connection opened by computer1 (and
NOT a connection opened by the individual) ==> probably allowed.

So in fact, when you do something in this lines, the router will not see
"individual from outside wants to connect to computer1" -- but:
"computer1 wants to connect to outside". Of course, the remaining
question is: does the router allow this connection?
And you need an external server to initiate the connection: somehow, the
individual has to learn the networking details of the initial packet...
The "external server" could be e.g. a mail server, which computer1
regularly checks for new mails...


To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110403124346.GA4625@axel">http://lists.debian.org/20110403124346.GA4625@axel

Thread Tools

All times are GMT. The time now is 06:57 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org