Brett Glass to the Rescue: Hiding Machines on a LAN from the Internet

Brett Glass to the Rescue

Solutions to your toughest technical problems. http://www.brettglass.com

Links

Back to the
"Brett Glass to the Rescue" Index

Hiding Machines on a LAN from the Internet

Q: I want to connect a LAN to the Internet through a router, but do not want most of the machines on the LAN to be visible to the outside world. I know there is a block of IP numbers that can be used on a local network connected to the Internet which will not conflict with "real" internet assigned numbers. How do I use it?

Roger Leigh

A: There are several groups of IP addresses which are considered to be "reserved" and are never actually used on the Internet. They are:

10.0.0.0       to     10.255.255.255
172.16.0.0     to     172.31.255.255
               and
192.168.0.0    to     192.168.255.255

Of these groups, the most commonly used is the first one -- the "Class A" block that's often called "Subnet 10." (The other blocks are smaller, so there's no real advantage to using them.) Under normal conditions, IP routers refuse to pass packets destined for these addresses.

When you set up a "firewall" router (as it's commonly called), you can make sure that machines outside the firewall cannot send packets directly to machines on your LAN by assigning them addresses in these blocks.

Network Address Translation

One of the big advantages of using these reserved addresses on your LAN is that you can selectively grant individual machines on your LAN access to the outside world while protecting them from outside attacks. This is done via a mechanism called Network Address Translation (NAT). (You'll also hear this mechanism referred to as "IP Masquerading.")

Here's how NAT works. When one of the machines on your internal LAN wants to communicate with one elsewhere on the Internet, it sends a packet to the router using its invalid "return address." On its way through the router, the packet is altered; its return address is replaced by a legitimate IP address belonging to the router itself. All responses to those packets therefore come back to the router. The router reverses the address swapping process and passes the reply back to the computer for which it is intended.

Why is this useful? First, the computer "behind" the firewall doesn't have a legitimate IP address, so the router can easily screen every packet it receives and prevent unwanted data from getting through. Also, the router can let several machines on the LAN share a single legitimate IP address, so you can put thousands of machines on your LAN and let them share a much smaller number of outside addresses (which are inreasingly scarece nowadays).

What if you do want a machine to be accessible from the outside world? The best approach is to place that machine outside the firewall router and assign it a legitimate IP address. Another option is to leave it inside the firewall, on your LAN, and configure your router to let the outside world talk to it. The advantage of this approach is that the router can protect the machine from many kinds of attacks by blocking certain protocols. (For example, if the machine is a Web server, the router can prevent other machines from sending it mail, "pinging" it, etc.) The disadvantage of putting a public server behind a firewall is that there will be one more "hop" between the machine and the outside world. Also, the extra traffic might congest your LAN.