Router – Port-forwarding with Authentication

authenticationport-forwardingrouter

Okay, so here's the story:

I administrate a server running a web application on my internal LAN, say foo:1234. My team uses this actively.

We have now decided to make this application accessible from outside our network – but we don't want to install it on our webserver. I have forwarded an external port (say 5678) on our (DDWRT) router to foo:1234, and this works fine.

The problem though, is that due to certain configuration issues anyone can view the page without being logged in, if they know the URL. I want to prevent that in some way.

I created a page (with login) on our web server, that redirects to router:5678 after authentication, but that's not really a solution; router:5678 is still publicly accessible.

My question: How can I set it up so that the port gets forwarded only after authentication?

Best Answer

A common way to handle this situation is to place an authenticating reverse proxy (e.g., apache) in front of the web server.

See e.g. http://thelowedown.wordpress.com/2008/10/12/reverse-proxy-with-apache/

Related Solutions

Ssl – Windows Server 2003 TCP port mapping / port forwarding

Reason you are battling to find software that does that is sort of contained in your question. You want to take socket traffic that is being generated by the Windows 2K3 ip stack, bound for port 25, somehow intercept it, and then send it outbound on the same interface with the destination port rewritted to 485 (and throw in SSL for good measure).

There just is no simple way to do that in software - unless you are a total Windows Programming Guru (or you are a personal friend of Mark Russinovitch and he owes you a favour.).

If you have a NAT capable firewall or router, just use that for translate packets from your 2K3 host to the submission port for Google Apps - and don't use SSL. The only way to use SSL would be what you have sort of done, by the sounds of it, and that is to install a local SMTP MTA, that will receive e-mail on the SMTP port, and relay it out to Google Apps on the submission port and will negotiate TLS between this MTA relay and Google Apps.

You won't really get blacklisted for this, however you may find your mail will be dropped by some MTAs because it is originating from a non-mx IP. To address this problem, add your static IP to an SPF record for your domain in your DNS. That will tell receiving MTAs that do SPF checking that this IP is indeed authorized to send mail on your behalf. Check the OpenSPF project for more information.

Ubuntu server refusing connections via port forwarding

Does restarting the ubuntu server or the verizon firewall make it start working again temporarily?

To check the status of your firewall rules, use

sudo /sbin/iptables -nvL |less

what do you see there? Save that output right after restart and then compare to when it stops working - is some other process mucking with your firewall rules (via crontab maybe)? Seems odd, but that could explain the behavior you are seeing.

Best Answer

Related Solutions

Ssl – Windows Server 2003 TCP port mapping / port forwarding

Ubuntu server refusing connections via port forwarding

Related Topic