Hands on: Getting to grips with Network Address Translation

Dedicated firewalls often have DMZ ports for this purpose, with the added benefit, in most implementations, of firewall protection even for systems in the DMZ.

But this kind of hardware solution can be expensive and you’re unlikely to find many low-cost broadband routers with such hardwired DMZ ports. Plus, with most broadband services, you only get one public IP address, in which case a different solution is required, implemented in the router/gateway software.

The software approach

There are no standards, so what you need varies depending on the make and model of your router, gateway or firewall. In general, look for software DMZ, address forwarding or port forwarding options.

These options can usually be set up and managed via the router’s user interface and will be grouped by themselves or listed under the Nat settings. However they’re organised, they will be implementations of the same approach: the logical mapping of public IP addresses and ports to ‘hidden’ local equivalents on the protected Lan.

With a software DMZ (sometimes known as host forwarding), for example, you can direct all unsolicited inbound traffic received on the public IP address to a single local server.

We used a Linksys WAG54GX2 wireless ADSL router and all inbound traffic is directed to an address of 192.168.1.99; useful if you have just one server hosting your email, FTP, web and any other public-facing servers.

However, it doesn’t discriminate in terms of what gets forwarded and is effectively opening the target server to all and sundry, which could be a security issue. Firewall and content filtering rules will still be applied but, on a low-cost router, these measures are unlikely to be foolproof.

So you may want to be more selective about how traffic is forwarded.
We used a Linksys router which has been configured to inspect and pass traffic selectively according to the port involved. SMTP (port 25) and Pop3 (port 110) email traffic, for example, is being forwarded to an email server on 192.168.1.99, and general HTTP (port 80) traffic to a web server on 192.168.1.101.

The built-in firewall is used in each case, but no other traffic will be allowed through except in response to requests made by a local user.

Other makes of router can usually be similarly configured, but you’ll have to check the documentation for details.

On some routers you can forward port ranges rather than specifying each port involved. On consumer-oriented routers, you’ll often find port-triggering options.

These allow the public IP address/port combinations to be mapped to specific internal addresses, but only for traffic streams solicited by users on the protected Lan.