iptables - how to access local server using external ip

[Guest]

Archived from groups: comp.security.firewalls (More info?)

We're using iptables for NAT (sharing dsl line).

Outside machines can access our internal server using our public dsl ip
address but internal workstations cannot. The internal workstations
have to use the local LAN ip address of the server to access it.

What do we need to do in order to access our internal servers using the
public ip address from our local workstations?

None of the documents we found using google address this issue.

 

[jp]

Archived from groups: comp.security.firewalls (More info?)

Randy Lawrence wrote:
> We're using iptables for NAT (sharing dsl line).
>
> Outside machines can access our internal server using our public dsl ip
> address but internal workstations cannot. The internal workstations
> have to use the local LAN ip address of the server to access it.
>
> What do we need to do in order to access our internal servers using the
> public ip address from our local workstations?
>
> None of the documents we found using google address this issue.

lookup forwarding and masquerading in the iptables, there is loads of
stuff in google as well.

JP

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Randy Lawrence wrote:

>We're using iptables for NAT (sharing dsl line).
>
>Outside machines can access our internal server using our public dsl ip
>address but internal workstations cannot. The internal workstations
>have to use the local LAN ip address of the server to access it.
>
>What do we need to do in order to access our internal servers using the
>public ip address from our local workstations?
>
>None of the documents we found using google address this issue.

Because it makes no sense. What it appears you want to do (and for
some reason this is a very popular request) is route traffic out (from
your LAN) to the Internet, only to have it routed right back in on the
same interface to the same LAN (or DMZ). Save yourself some heartache
and either setup a DNS server to point the FQDN to your internal
server locally, or add the appropriate hosts file entry to each of the
computers needing to access your server.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

JP wrote:

>Randy Lawrence wrote:
>> We're using iptables for NAT (sharing dsl line).
>>
>> Outside machines can access our internal server using our public dsl ip
>> address but internal workstations cannot. The internal workstations
>> have to use the local LAN ip address of the server to access it.
>>
>> What do we need to do in order to access our internal servers using the
>> public ip address from our local workstations?
>>
>> None of the documents we found using google address this issue.
>
>lookup forwarding and masquerading in the iptables, there is loads of
>stuff in google as well.

I'd be very interested to hear your explanation of how to make that
work with forwarding and masquerading. Maybe I could learn something.

 

[ken]

Archived from groups: comp.security.firewalls (More info?)

Hi Randy -

On Tue, 01 Jun 2004 18:01:23 GMT, Randy Lawrence <jm@zzzzzzzzzzzz.com>
wrote:

>What do we need to do in order to access our internal servers using the
>public ip address from our local workstations?

All you need to do is DNAT requests to the external IP address coming
in on the LAN interface to the internal server address. Essentially
you do the same thing on the LAN interface as you do on the WAN
interface (except on the WAN interface you may not necessarily check
the destination address, whereas on the LAN interface you do need to).

--
Ken
http://www.ke9nr.net/

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On 1 Jun 2004 22:45:08 -0500, Micheal Robert Zium
<mrozium@XSPAMX-yahoo.com> wrote:
>
>Randy Lawrence wrote:
>
>>We're using iptables for NAT (sharing dsl line).
>>
>>Outside machines can access our internal server using our public dsl ip
>>address but internal workstations cannot. The internal workstations
>>have to use the local LAN ip address of the server to access it.
>>
>>What do we need to do in order to access our internal servers using the
>>public ip address from our local workstations?
>>
>>None of the documents we found using google address this issue.
>
>Because it makes no sense. What it appears you want to do (and for
>some reason this is a very popular request) is route traffic out (from
>your LAN) to the Internet, only to have it routed right back in on the
>same interface to the same LAN (or DMZ). Save yourself some heartache
>and either setup a DNS server to point the FQDN to your internal
>server locally, or add the appropriate hosts file entry to each of the
>computers needing to access your server.
>

This feature is usually called NAT Loopback. Don't know if iptables
supports it, though.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

JP wrote:

>OK, so I misread the question, it had been a long day!

I know the feeling...

>> Maybe I could learn something.
>
>Maybe you could...

Always room to learn.

 

[sensadrome]

BUMP!

I am adding something here because this is top on google for how to access internal server using external ip.

It does make sense as a request, as hacking about with DNS or hosts files can be a pain and error prone - you may also end up in the scenario where you have to maintain 2 DNS servers just for one domain (internal and external)

For other people who come to this page, here is an explanation of what is going on and how to solve it:

You setup a DNAT rule to point your external IP address (1.1.1.1) to your internal server (192.168.0.10)

When a workstation (192.168.0.51) makes a request for the server the first packet hits your server fine. As far as the workstation is concerned it sent the request to 1.1.1.1 So far so good.

The server sees the request as coming from 192.168.0.51 which is already on it's own subnet so it sends the replies directly back to the workstation.

The problem here is that the workstation was not expecting any packets to come directly from the server so they get rejected. (Meanwhile it doesn't get a reply from the gateway so the connection eventually times out)

The answer is to make the gateway SNAT all requests from the internal LAN that are directed to the server. The SNAT address should be that of the gateway itself. (iptables will then handle the rest)

 

[donaldran]

BUMP!

I am adding something here because this is top on google for how to access internal server using external ip.

It does make sense as a request, as hacking about with DNS or hosts files can be a pain and error prone - you may also end up in the scenario where you have to maintain 2 DNS servers just for one domain (internal and external)

For other people who come to this page, here is an explanation of what is going on and how to solve it:

You setup a DNAT rule to point your external IP address (1.1.1.1) to your internal server (192.168.0.10)

When a workstation (192.168.0.51) makes a request for the server the first packet hits your server fine. As far as the workstation is concerned it sent the request to 1.1.1.1 So far so good.

The server sees the request as coming from 192.168.0.51 which is already on it's own subnet so it sends the replies directly back to the workstation.

The problem here is that the workstation was not expecting any packets to come directly from the server so they get rejected. (Meanwhile it doesn't get a reply from the gateway so the connection eventually times out)

The answer is to make the gateway SNAT all requests from the internal LAN that are directed to the server. The SNAT address should be that of the gateway itself. (iptables will then handle the rest)

How and where do you set SNAT?

 

[sensadrome]

Hi donaldran - yes, sorry I should have given an example:

The magic happens in the POSTROUTING chain of the nat table.

Using the examples above ->

(external ip 1.1.1.1, internal network 192.168.0.0/24, webserver 192.168.0.10, router 192.168.0.1)


#the DNAT rule would be something like:

iptables -t nat -A PREROUTING -d 1.1.1.1 -m tcp -p tcp --dport 80 -j DNAT --to-destination 192.168.0.10

#Then the SNAT rule would be:

iptables -t nat -A POSTROUTING -d 192.168.0.10 -s 192.168.0.0/24 -j SNAT --to-source 192.168.0.1

Note that the destination in the SNAT rule is the internal ip address of the web server and not the external - this is because the destination of the packet had already been changed by the DNAT rule...

I hope that helps...

 

[Neville Hillyer]

Am I correct in thinking that this is the standard loopback provided by many home routers?

If so my experience of loopback is that the server sees the request as coming from the router so all LAN requests are logged with the router's IP.

I upgraded the firmware on an old Netgear DG834PN and discovered that it did not loopback. After a further upgrade to DGTeam firmware loopback was restored. Although DGTeam firmware is fast and flexible my version lacks any loopback control - it exists permanently.

Is there a router solution (I can add script on my DGTeam web interface) which allows servers to log LAN requests correctly? It would be simple if routers had hosts files.