View previous topic :: View next topic |
Author |
Message |
Adm.Wiggin n00b
Joined: 04 Mar 2009 Posts: 5
|
Posted: Wed Mar 04, 2009 9:27 pm Post subject: iptables internal port fowarding |
|
|
I have followed the Gentoo "Home Router Guide" (http://www.gentoo.org/doc/en/home-router-howto.xml) and have a working NAT router box.
I started adding Port Forwarding, as per the instructions at the bottom, and have run into some issues that I cannot seem to solve after hours of reading and trying different things. Here's the situation.
For reference, here's the port forwarding code from the HOWTO (for http, as our example): Code: | iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to ${INTERNAL_WEBSERVER_IP} |
When setting up port forwarding exactly as described, it works, but only from (arbitrary external machine) -> (my external ip). Any request like (internal ip) -> (external ip) doesn't get forwarded to the proper location.
I changed the code to the following, to see if it would change anything, and external forwarding still works, but internal forwarding still doesn't, so I've gained nothing: Code: | iptables -t nat -A PREROUTING -p tcp --dport 80 -d ${EXTERNAL_IP} -j DNAT --to ${INTERNAL_WEBSERVER_IP} |
I tried something else: I grabbed a valid IP address for "google.com" and put that in in place of my internal webserver ip, creating the following: Code: | iptables -t nat -A PREROUTING -p tcp --dport 80 -d ${EXTERNAL_IP} -j DNAT --to ${GOOGLE_IP} | I connect, and google.com shows up, leading me to believe that it reroutes the packet to the proper ip, but doesn't reroute it to the appropriate interface (${LAN} instead of ${WAN}).
My question, then, is how to successfully forward all port 80 packets destined for our ${EXTERNAL_IP}, internal or external, to the internal webserver? |
|
Back to top |
|
|
DawgG l33t
Joined: 17 Sep 2003 Posts: 866
|
Posted: Thu Mar 05, 2009 12:09 pm Post subject: |
|
|
do you want completely unfiltered web-access for all internal hosts or do you only want http (port 80) access (for certain internal host(s))?
for full access for any internal host you could do sth like:
Code: | iptables -t nat -I PREROUTING 1 -i $(LAN_IF) -j MASQUERADE |
for only port 80-access to all external servers for a certain host you could do:
Code: | iptables -t nat -I PREROUTING 1 -s $(HOST) --dport 80 -j MASQUERADE |
this of course assumes that all rules are in a working order and that the default (last) rule is DROP.
GOOD LUCK! _________________ DUMM KLICKT GUT. |
|
Back to top |
|
|
Adm.Wiggin n00b
Joined: 04 Mar 2009 Posts: 5
|
Posted: Thu Mar 05, 2009 7:02 pm Post subject: |
|
|
It seems as though you have misunderstood me.
I'm not trying to allow internet access for internal hosts; I have that.
I'm trying to setup port forwarding to act like it does on almost all off-the-shelf routers I have ever used, such that if our external ip is accessed from the outside, the request is redirected to the proper host (which works, as per the guide), but also so that if our external ip is accessed from within the network, the request is still redirected to the proper host (which doesn't work, but I'm trying to figure out how one would go about making it so). |
|
Back to top |
|
|
DawgG l33t
Joined: 17 Sep 2003 Posts: 866
|
Posted: Fri Mar 06, 2009 9:37 am Post subject: |
|
|
it has to work quite easily, i'm sure it's only a small thing to adjust.
do you have some kind of dmz, or is the (internal?) host to be accessed from the external ip on the same net as the hosts supposed to access it? are there any rules on the host to be accessed? how about routing on the involved hosts? _________________ DUMM KLICKT GUT. |
|
Back to top |
|
|
Adm.Wiggin n00b
Joined: 04 Mar 2009 Posts: 5
|
Posted: Fri Mar 06, 2009 2:39 pm Post subject: |
|
|
I'm not sure what a DMZ is, but the webserver machine is indeed on the same network as the internal machines trying to access it. There aren't any special rules regarding traffic either to the webserver machine or otherwise, just the stuff you can already find in the Home Router Guide. I'll post my entire iptables setup script if you're interested in seeing it, but it really is just what you see for iptables setup in the guide. |
|
Back to top |
|
|
DawgG l33t
Joined: 17 Sep 2003 Posts: 866
|
Posted: Mon Mar 09, 2009 2:06 pm Post subject: |
|
|
so the webserver and the machines supposed to access it are on the same subnet and plugged into the same switch/hub?
is it necessary that the internal machines access the server with its external ip (logs, stats, sth.?) or could they use its "local" ip?
have you tried accessing the server's local ip with an internal client? try that if it's ok.
GOOD LUCK! _________________ DUMM KLICKT GUT. |
|
Back to top |
|
|
Adm.Wiggin n00b
Joined: 04 Mar 2009 Posts: 5
|
Posted: Mon Mar 09, 2009 5:14 pm Post subject: |
|
|
Yes, they are all plugged into the same switch. Accessing the "local" ip works great, but then if I move outside the LAN, the local ip (obviously) doesn't work anymore and I have to change my URL. DNS is one solution, but I'd hoped to avoid that, since this really is a standard feature of many off-the-shelf routers. |
|
Back to top |
|
|
|