UNIX for Dummies Questions & Answers

This is what i expected:

You see, 192.168.178.x is exactly what i have written about above: you can't make that accessible from the internet (directly), because you absolutely need NAT in between this server and the internet. Usually you request and receive the right to use a certain IP-range (from the biggest networks down to single addresses) from some authority administrating the superset of this network/address. Ultimately this ends up at IANA (Internet Assigned Numbers Authority), which is responsible for the whole TCP/IP-Address range.

"Private Address Space" means, that everybody is entitled to use these addresses without asking anybody, but in return is not guaranteed to have a unique address. Unique addresses are the basis for the internet, though, and all network hardware (routers, routing switches, ...) is required to be able to filter these adresses. Actually exactly this is done at every internet providers network entrance. Even if you manage to get such packet out of your local network it would be dropped silently at the first router it encounters.

What your router/modem now does is called NAT (Network Address Translation): when it connects to your provider it is given a single official IP-address for its "outside"-interface. The "inside"-interface gets some local (private) address. When one of your systems try to connect to somewhere outside the router intercepts these packets, rewrites them using its official "outside"-IP and connects to the requested server itself. As an answer comes back it rewrites the package again using its "inside" address and then transmits it into the local network. This way the local addresses are never seen outside the local network.

This means you have to configure your router accordingly to allow for requests from outside to be directed to your webserver inside and the requests and answers be rewritten properly.

Further it means that you need to register your router at some dynamic DNS service (Dyn-DNS or something equivalent) because the IP address your router gets is perhaps not always the same. In this case your service should at least be reachable via a constant name (say "your.service.com") even if this name resolves to some dynamic IP address.

Before i forget: some Internet providers explicitly forbid in their contracts to advertise a service (=operate a server) from standard connection (this makes technically no sense, but so it is), so make sure your attempts do not constitute a breach of contract. You might lose your internet connection.

I hope this helps.

bakunin

Could you please guide me how to set up the forwarding just to see it working (I see that the ips should updated manually)?

I make a guess, I should use a command like this:

Code:

iptables -t nat -A PREROUTING -j DNAT -d IP1 -p tcp --dport PORT_X --to IP2

PLease replace IP1 or IP2 with the IP assigned from my ISP and I find it via the "whatismyip" webpage and the IP that I see with the ifconfig command /etho or wlan

---------- Post updated at 11:06 AM ---------- Previous update was at 11:03 AM ----------

Do I guess correctly that the forwarding needs to be:

From local IP (eth0, wlan) to the ISP IP? and then the rest is done automatically?

Well, iptables is not my strong side, as in AIX there is a different packet filtering software. At first glance this seems right, but maybe someone else with more experience than me can fill out the gaps here?


Quite correct. The IP you see when you query your own IP over the internet is the "outside" interface of your router/modem (sometimes these are two different boxes, sometimes this is bound into one). It is this address by which your web server will be known outside. Notice, though, that the IP address will likely change with every dial-up you do. Therefore, if you configure an IP address into these rules you will have to change that whenever the connection is (re-)established. You should prepare a script for that therefore, maybe you can trigger its execution even, making the thing as "automatic" as it can get.

By the way, before you try to operate your framework: have even tried to contact the "naked" web server from outside? Has it worked? If not, what was the error code?

I hope this helps.

bakunin

It is getting more clear but lets make sure that we are not getting confused with the nicknames of the ips.

IP1= the result we get from the "whatsmyip" website (the IP assigned to the connection by the ISP)
IP2a= eth0 result -changes- and IP2b wlan result from "ifconfig"

Without configuring the ip tables, just by opening the port of choice (8081) trying to connect to the framework from outside results in connection time out. The same when IP1 is forwarded to IP2a (if the command I am using is correct)

When IP2a is forwarded to IP1 the framework is only available on the computer that launched it, not even on the other computers on the network. The error message is "page inaccessible" when attempting to connect from other computers on the local network and "connection time out" when attempting to connect from outside.

Please clarify "naked webserver"