Mapping external IP's to internal ones

I have got myself a bit lost - this is what I want to do … ( IP’s changes to protect the innocent )

I have a box with 2 network cards
the internal interface is 1.2.3.254
the external interface is 5.6.7.8

inside there are 1000 or so private IP addresses
outside I have 3 public IP addresses

at the moment it is set up as a router with the firewall on
internal machines can surf Ok and if I use ‘test my IP’ they all
show up as 5.6.7.8 which is what I expect and everything seems OK

Now I want to make my LDAP server visible to another user on the Internet
so I essentially need to map 5.6.7.9 to 1.2.3.4 so the Internet company think
they are talking to 5.6.7.9 when in actual fact they are talking to the LDAP
server inside

Idiots guide please :slight_smile:

Ta

mal

Look for documentation with “Network Adress Translation” (NAT) and “Port Forwarding” for the theory.

I have no idea how you can implement this router functionality on your openSUSE system though.

Now I want to make my LDAP server visible to another user on the Internet
so I essentially need to map 5.6.7.9 to 1.2.3.4 so the Internet company think
they are talking to 5.6.7.9 when in actual fact they are talking to the LDAP
server inside

If using an openSUSE machine as a firewall, then firewalld port forwarding for your example will look something like this…

firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="5.6.7.9 /32" port protocol="tcp" port="XXXX" accept"
firewall-cmd --permanent --zone=public --add-forward-port=port=XXXX:proto=tcp:toport=YYYY:toaddr=1.2.3.4
firewall-cmd --reload

Pay attention to the external and internal ports as well.

This Fedora firewalld guide may be helpful too…
https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sec-Configure_Port_Forwarding-CLI.html

Yaa…

Other than it’s really picky and doesn’t like the space before /32 it worked a treat.

Many thanks

Mal

Yes, sorry that was a typo. Anyway, glad to have been of assistance. :slight_smile:

Ordinarily,
People don’t connect only to an LDAP server,
They connect to an LDAP server to obtain credentials for accessing other resources in the LAN.
If that’s the case, then you should consider

  • Setting up VPN access for your Internet User. When the remote user and machine logs in successfully, they’ll have immediate access to that part of your internal network. No need to set up special firewall rules like port forwarding. No need to set up your firewall to protect LDAP server access from the outside which would be a potential catastrophe if compromised.

  • If you set up a VPN, you can set it up as simple or complex as you want and according to your knowledge of networking, the type of VPN you set up and the amount of work you put into it… You can set up special filtering for specific traffic, impose special remote authentication requirements, restrict access to only parts of your internal network by supernetting, subnetting, different zones, etc.

Exposing a critical internal network resource like an LDAP server to external access isn’t something you should do without considerable thought and some personal research.

HTH,
TSU