IPCop Linux Firewall

Port Forwarding and Dynamic DNS

A NAT-based router such as IPCop rejects all requests for data that originate from the Internet. While this keeps LAN computers safe from being directly accessed by unknown entities, it presents a problem when you want to allow such requests for say, a web or FTP server. So like commercial NAT-based routers, IPCop can forward requests for specific Internet services to certain machines on your LAN. This is done via a feature called Port Forwarding.

An example of adding a Port Forwarding rule for a webserver is shown in Figure 27. This rule consists of our client's IP address, 192.168.0.168, as the destination IP, as well as the HTTP source port 80 (on the Internet side) and the destination port (on our local client at 192.168.0.168). The field Remark can be used to add a little information about the rule. In our case, this is simply "Webserver".

Figure 27: Adding a Port Forwarding rule

After clicking Add, the rule is added to the list in the lower part of the window, and instantly becomes active.

If you want to access clients on your home network remotely, then you're often faced with another problem. Most ISPs assign IP addresses dynamically upon connection, which means that your router (and the services running on any Port-Forwarded servers behind it) will have a different IP address as often as every time the router connects. Fortunately dynamic DNS services provide a way around this problem.

Dynamic DNS service providers offer subdomain names that are kept pointed at the changing IP address of your router. Normally, this requires running a client somewhere on your LAN that detects when your WAN IP address has changed and tells the Dynamic DNS service's servers to grab the new IP address. However, IPCop comes with a built-in client that removes the need to run one on a LAN machine.

Figure 28: Setting up the Dynamic DNS client

Setup involves first creating an account with one of the Dynamic DNS services if you don't already have one. Some Dynamic DNS services, such as www.dyndns.org, are offered free of charge. The service then provides the account information, which is entered into IPCop's interface (Figure 28). IPCop's client can handle operating through an HTTP proxy (the Behind a Proxy checkbox), as some ISP's require, and the Enable Wildcards checkbox handles subdomains.

Finally, IPCop needs to know how to determine its IP address. In most cases, the correct setting is that this is determined by the "red" interface, as shown in Figure 29. The second option only applies if there is a second router between IPCop and the Internet.

Figure 29: Dynamic DNS IP address determination method
This thread is closed for comments
No comments yet
    Your comment