Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
view my websites on local network
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cowboy0629
Tux's lil' helper
Tux's lil' helper


Joined: 11 May 2016
Posts: 76
Location: Kawartha Lakes, Ontario

PostPosted: Mon Feb 13, 2017 2:17 am    Post subject: view my websites on local network Reply with quote

Hi all I am having a issue with my web-server I can view my websites from the internet but I am not able to view them from my local machines....

I have 3 sites on my server..

if I type in 192.168.0.1 / or my external IP ADDRESS --> I get my local website that shows me statistics of my internet connection and other stats of my network


when on a computer on the local network if I type in the browser

(local network)
http://cowboy0629.ddns.net --> This site can’t be reached cowboy0629.ddns.net refused to connect.
http://needfulthings.ddns.net --> This site can't be reached needfulthings.ddns.net refused to connect.

(external network ie. Phone/work computer/friends house etc..)
Sites Connect as wanted

Can some one help me get it to work on internal network I beleave I have them setup as virtual servers so each address apache sees it sends them to the website for that address..

Thanks in advance
Mike Dennison


Last edited by cowboy0629 on Tue Feb 14, 2017 12:41 pm; edited 2 times in total
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7048
Location: almost Mile High in the USA

PostPosted: Mon Feb 13, 2017 7:35 am    Post subject: Reply with quote

How is your router set up? What is your router?

There are some routers out there that with stock firmware, does not redirect packets back into your network and thus exhibit behavior like what you see here. I recall my old Actiontec GT701 or something like that having this issue if not set up properly (it's a DSL router/modem). I don't recall exactly what I did to "solve" this issue, part of the problem is that I run a pfSense router now instead of using the DSL router.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
cowboy0629
Tux's lil' helper
Tux's lil' helper


Joined: 11 May 2016
Posts: 76
Location: Kawartha Lakes, Ontario

PostPosted: Mon Feb 13, 2017 4:05 pm    Post subject: Reply with quote

My router is gentoo and im using dnsmasq with it to handle my dhp clients on my network

So Im thinking I may have to change something in my iptables from what you are saying :(

I use a script file so if I change something and it don't work i can change the iptables back quickly my family members tend to get real upset if the internet goes down for more then a couple minutes




Code:


#!/bin/bash
#
#       JUNE 26 2016
#

### This *has* to be loaded, or no NAT!!!
modprobe ipt_MASQUERADE

#WAN (eth0=enp0s25) --> Outside Network

#export WAN="enp0s25"
export WAN="ppp0"

#LAN (eth1=enp17s0) --> Inside Network
export LAN="enp17s0"

#Other Varibles
export SSHD_PORT="28"
export HTTP_PORT="80"
export MYSTIC_TELNET_PORT="2320"
export MYSTIC_SSH_PORT="2820"
export MYSTIC_FTP_PORT="2120"
#export SBBS_TELNET_PORT="2321"
#export SBBS_FTP_PORT="21"
#export SBBS_HTTP_PORT="8081"
#export SBBS_SSH_PORT="2821"

#Flush current rules

iptables -F
iptables -t nat -F
iptables -X

#Setup default policies to handle unmatched traffic

#iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP


#Locks Services so they only work from the LAN

iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT


#Allow access to the ssh server from the WAN
iptables -A INPUT -p tcp --dport ${SSHD_PORT} -j ACCEPT
#Apache WebServer Rules
iptables -A INPUT -p tcp --dport ${HTTP_PORT} -j ACCEPT

#Drop TCP/UDP packets to privleged Ports:

iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

#Add NAT Rules

iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.255.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

#Port Forwarding

# (Forward Outside to GW2)
#iptables -t nat -A PREROUTING -p tcp --dport 28 -i ${WAN} -j DNAT --to 192.168$
#iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168$

#BBS RULES
##MYSTIC BBS
#iptables -t nat -A PREROUTING -p tcp --dport ${MYSTIC_TELNET_PORT} -i ${WAN} -$
#iptables -t nat -A PREROUTING -p tcp --dport ${MYSTIC_SSH_PORT} -i ${WAN} -j D$
#iptables -t nat -A PREROUTING -p tcp --dport ${MYSTIC_FTP_PORT} -i ${WAN} -j D$
#iptables -t nat -A PREROUTING -p tcp --dport 8080 -i ${WAN} -j DNAT --to 192.1$
#iptables -t nat -A PREROUTING -p tcp --dport 2320 -i ${WAN} -j DNAT --to 192.1$
##SBBS
#iptables -t nat -A PREROUTING -p tcp --dport ${SBBS_SSH_PORT} -i ${WAN} -j DNA$
#iptables -t nat -A PREROUTING -p tcp --dport ${SBBS_TELNET_PORT} -i ${WAN} -j $
#iptables -t nat -A PREROUTING -p tcp --dport ${SBBS_HTTP_PORT} -i ${WAN} -j DN$
#iptables -t nat -A PREROUTING -p tcp --dport ${SBBS_FTP_PORT} -i ${WAN} -j DNA$


#VNC RULES
##GW2
###Mike
iptables -t nat -A PREROUTING -p tcp --dport 5901 -i ${WAN} -j DNAT --to 192.16$
iptables -t nat -A PREROUTING -p tcp --dport 5801 -i ${WAN} -j DNAT --to 192.16$
#iptables -t nat -A PREROUTING -p tcp --dport 6001 -i ${WAN} -j DNAT --to 192.1$


#Xbox Live (Rules for my XboxOne and Xbox360)
iptables -t nat -A PREROUTING -p udp --dport 88 -i ${WAN} -j DNAT --to 192.168.$
iptables -t nat -A PREROUTING -p tcp --dport 3074 -i ${WAN} -j DNAT --to 192.16$
iptables -t nat -A PREROUTING -p udp --dport 3074 -i ${WAN} -j DNAT --to 192.16$
##iptables -t nat -A PREROUTING -p tcp --dport 53 -i ${WAN} -j DNAT --to 192.16$
##iptables -t nat -A PREROUTING -p udp --dport 53 -i ${WAN} -j DNAT --to 192.16$
##iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.16$
##iptables -t nat -A PREROUTING -p udp --dport 500 -i ${WAN} -j DNAT --to 192.1$
iptables -t nat -A PREROUTING -p udp --dport 3544 -i ${WAN} -j DNAT --to 192.16$
iptables -t nat -A PREROUTING -p udp --dport 4500 -i ${WAN} -j DNAT --to 192.16$



#Inform the kernel that IP forwarding is OK:

echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

#Instruct the IPtables daemon to save the changes to the rules

/etc/init.d/iptables save

Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7048
Location: almost Mile High in the USA

PostPosted: Mon Feb 13, 2017 4:25 pm    Post subject: Reply with quote

Are you getting "connection refused" or "timeout" ?
What happens if you remove the forward drop rule...at least as a test?
Code:
#iptables -P FORWARD DROP


What is the router configuration - is it a plain router where it has a public IP address and forwards only private addresses?

When I was using a regular Linux box as a router as a "plain" router (IP addresses/networks on each interface are distinct - no bridging) I only had to run the masquerade command to let data to flow through. Of course incoming connects needs their own firewall hole.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
cowboy0629
Tux's lil' helper
Tux's lil' helper


Joined: 11 May 2016
Posts: 76
Location: Kawartha Lakes, Ontario

PostPosted: Mon Feb 13, 2017 9:01 pm    Post subject: Reply with quote

on home network I am getting connection refused when I try to connect to my apache server from my local network.. but I can connect from the outside in to the websites.. I will try changing that line once I get home I don't want to get locked out..
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7048
Location: almost Mile High in the USA

PostPosted: Mon Feb 13, 2017 11:32 pm    Post subject: Reply with quote

OK, connection refused versus connection timeout is a key hint. Which means that your home network machine are trying to connect to something but what... It also means that that DROP line isn't the issue as if the packet was dropped, it would connection timeout...

What is the IP address of the vhosts' fqdn that your inside network picked up?
Is your webserver listening to that address?
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
cowboy0629
Tux's lil' helper
Tux's lil' helper


Joined: 11 May 2016
Posts: 76
Location: Kawartha Lakes, Ontario

PostPosted: Tue Feb 14, 2017 1:23 am    Post subject: Reply with quote

eccerr0r wrote:
Are you getting "connection refused" or "timeout" ?
What happens if you remove the forward drop rule...at least as a test?
Code:
#iptables -P FORWARD DROP


What is the router configuration - is it a plain router where it has a public IP address and forwards only private addresses?

When I was using a regular Linux box as a router as a "plain" router (IP addresses/networks on each interface are distinct - no bridging) I only had to run the masquerade command to let data to flow through. Of course incoming connects needs their own firewall hole.


So I commented out the line like you suggested and that I still got connection refused from internal net... but could not access anything including ssh from outside world..

outside in would just sit like it was trying to load the webpage but nothing happend
Back to top
View user's profile Send private message
cowboy0629
Tux's lil' helper
Tux's lil' helper


Joined: 11 May 2016
Posts: 76
Location: Kawartha Lakes, Ontario

PostPosted: Tue Feb 14, 2017 1:29 am    Post subject: Reply with quote

eccerr0r wrote:
OK, connection refused versus connection timeout is a key hint. Which means that your home network machine are trying to connect to something but what... It also means that that DROP line isn't the issue as if the packet was dropped, it would connection timeout...

What is the IP address of the vhosts' fqdn that your inside network picked up?
Is your webserver listening to that address?


I'm sorry Im not sure what you are asking.. .... the apache server is on my router if that helps... so 192.168.0.1 but when i type that in it brings up a page my friend made for me that tracks my networks stats....
Back to top
View user's profile Send private message
cowboy0629
Tux's lil' helper
Tux's lil' helper


Joined: 11 May 2016
Posts: 76
Location: Kawartha Lakes, Ontario

PostPosted: Tue Feb 14, 2017 2:09 am    Post subject: Reply with quote

This is my virtual host files

http://needfulthings.ddns.net
Code:

# Virtual Host For needfulthings.ddns.net
# Created 09/07/2016

# domain: needfulthings.ddns.net
# public: /var/www/public_html/needfulthings.ddns.net/

<VirtualHost *:80>

  # Admin email, Server Name (domain name) and any aliases
  ServerAdmin m.dennison@bell.net
  ServerName  needfulthings.ddns.net
  ServerAlias needfulthings.ddns.net


  # Index file and Document Root (where the public files are located)
  DirectoryIndex index.html
  DocumentRoot /var/www/public_html/needfulthings.ddns.net/public


  # Custom log file locations
  LogLevel warn
  ErrorLog  /var/www/public_html/needfulthings.ddns.net/log/error.log
  CustomLog /var/www/public_html/needfulthings.ddns.net/log/access.log combined

<Directory "/var/www/public_html/needfulthings.ddns.net">
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
  </Directory>

</VirtualHost>


http://cowboy0629.ddns.net
Code:

# Virtual Host For cowboy0629.ddns.net
# Created 09/07/2016

# domain: cowboy0629.ddns.net
# public: /var/www/public_html/cowboy0629.ddns.net/

<VirtualHost *:80>

  # Admin email, Server Name (domain name) and any aliases
  ServerAdmin m.dennison@bell.net
  ServerName  www.cowboy0629.ddns.net
  ServerAlias cowboy0629.ddns.net


  # Index file and Document Root (where the public files are located)
  DirectoryIndex index.html
  DocumentRoot /var/www/public_html/cowboy0629.ddns.net/public


  # Custom log file locations
  LogLevel warn
  ErrorLog  /var/www/public_html/cowboy0629.ddns.net/log/error.log
  CustomLog /var/www/public_html/cowboy0629.ddns.net/log/access.log combined

<Directory "/var/www/public_html/cowboy0629.ddns.net">
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
  </Directory>
</VirtualHost>
Back to top
View user's profile Send private message
cowboy0629
Tux's lil' helper
Tux's lil' helper


Joined: 11 May 2016
Posts: 76
Location: Kawartha Lakes, Ontario

PostPosted: Tue Feb 14, 2017 2:19 am    Post subject: Reply with quote

I found this on a website.. looks like what I might need to do to get it working on my internal network BUT .. my external ip changes all the time this is why I need to use DDNS service


https://httpd.apache.org/docs/2.4/vhosts/examples.html#page-header

Code:

Serving the same content on different IP addresses (such as an internal and external address).

The server machine has two IP addresses (192.168.1.1 and 172.20.30.40). The machine is sitting between an internal (intranet) network and an external (internet) network. Outside of the network, the name server.example.com resolves to the external address (172.20.30.40), but inside the network, that same name resolves to the internal address (192.168.1.1).

The server can be made to respond to internal and external requests with the same content, with just one <VirtualHost> section.

<VirtualHost 192.168.1.1 172.20.30.40>
    DocumentRoot "/www/server1"
    ServerName server.example.com
    ServerAlias server
</VirtualHost>
Now requests from both networks will be served from the same <VirtualHost>.

Note:

On the internal network, one can just use the name server rather than the fully qualified host name server.example.com.
Note also that, in the above example, you can replace the list of IP addresses with *, which will cause the server to respond the same on all addresses.
Back to top
View user's profile Send private message
cowboy0629
Tux's lil' helper
Tux's lil' helper


Joined: 11 May 2016
Posts: 76
Location: Kawartha Lakes, Ontario

PostPosted: Tue Feb 14, 2017 3:08 am    Post subject: Reply with quote

Thank-you eccerr0r for your help on this problem.. I figured out how to fix this problem so I can test my websites on local machines... I hate when people mark a thread solved but don't tell us how it was solved so here goes.. The fix was simple.


To get your local networked machines to see the websites on the Apache Virtual Hosts add these lines to your hosts files

Code:

nano /etc/hosts

192.168.0.1     <web-address A>
192.168.0.1     <web-address B>

change 192.168.0.1 --> YOUR APACHE WEB-SERVER ADDRESS
change <web-address A> --> Address you assined to you virtual hosts EX. needfulthings.ddns.net
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7048
Location: almost Mile High in the USA

PostPosted: Tue Feb 14, 2017 4:05 am    Post subject: Reply with quote

Ah yeah that would do it. Crap, wish there was an easy way to detect /etc/hosts issues. Looks like you changed from 192.168.0.1 to 192.168.1.1, slight but deadly change...

But in any case, it's probably best not to put in anything but local names into /etc/hosts if your DNS server is working, unless there's a specific need - like blocking access to websites by name or if your DNS is wrong... That way if the external name changes IP, you'd automatically pick up the name as well.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
cowboy0629
Tux's lil' helper
Tux's lil' helper


Joined: 11 May 2016
Posts: 76
Location: Kawartha Lakes, Ontario

PostPosted: Tue Feb 14, 2017 12:46 pm    Post subject: Reply with quote

eccerr0r wrote:
Ah yeah that would do it. Crap, wish there was an easy way to detect /etc/hosts issues. Looks like you changed from 192.168.0.1 to 192.168.1.1, slight but deadly change...

But in any case, it's probably best not to put in anything but local names into /etc/hosts if your DNS server is working, unless there's a specific need - like blocking access to websites by name or if your DNS is wrong... That way if the external name changes IP, you'd automatically pick up the name as well.



I just realized that this did not work ... (its ok for computers that never leave the house) but guess what as soon as I took my laptop to work I was no longer able to access my websites until I comment out the new added entries into Host files...

I have tried to set up a local dns server but have not had any luck.. any ideas what I may be doing wrong for this problem...
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Wed Feb 15, 2017 6:26 am    Post subject: Reply with quote

Hi,

what do you get in return to the following commands:

Code:

nslookup cowboy0629.ddns.net

nslookup needfulthings.ddns.net


from your local network? It seems like a little local resolving issue caused by your dnsmasq. Your apache configuration is correct with *:80 or *443, since you want to listen all websites on all interfaces.

Can you additionally post your /etc/nsswitch.conf please. Maybe there lays the issue according to your hostfile entries.

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
cowboy0629
Tux's lil' helper
Tux's lil' helper


Joined: 11 May 2016
Posts: 76
Location: Kawartha Lakes, Ontario

PostPosted: Thu Feb 16, 2017 3:56 pm    Post subject: Reply with quote

From GW1 - Gentoo Router

Code:

mike@GW1 ~/ $ nslookup cowboy0629.ddns.net
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   cowboy0629.ddns.net
Address: 76.69.25.182

mike@GW1 ~/ $ nslookup needfulthings.ddns.net
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   needfulthings.ddns.net
Address: 76.69.25.182


From a computer on Local network

Code:

mike@GW2 mike/ # nslookup cowboy0629.ddns.net
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   cowboy0629.ddns.net
Address: 76.69.25.182

mike@GW2 nslookup needfulthings.ddns.net
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   needfulthings.ddns.net
Address: 76.69.25.182


I didn't bother posting remote because I figured you probably already knew the anser to that...

should I have the auth-dns USE FLAG enabled ?

here is what I have installed for dnsmasq

Code:

mike@GW1 ~/ $ eix dnsmasq
[U] net-dns/dnsmasq
     Available versions:  2.76 {auth-dns conntrack dbus +dhcp dhcp-tools dnssec idn +inotify ipv6 lua nls script selinux static tftp LINGUAS="de es fi fr id it no pl pt_BR ro"}
     Installed versions:  2.75(19:54:19 05/18/16)(dbus dhcp inotify ipv6 nls -auth-dns -conntrack -dhcp-tools -dnssec -idn -lua -script -selinux -static -tftp LINGUAS="-de -es -fi -fr -id -it -no -pl -pt_BR -ro")
     Homepage:            http://www.thekelleys.org.uk/dnsmasq/doc.html
     Description:         Small forwarding DNS server
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Fri Feb 17, 2017 6:09 am    Post subject: Reply with quote

Hi,

im not familiar with dnsmasq, since im always using bind. But i think you should redo your firewall rules. At first you should restart with all to drop and then open up port by port starting with ssh from the internal network.

Code:

#!/bin/bash

# define interfaces
WAN="ppp0"
LAN="enp17s0"

# flush rules
iptables -F
iptables -F -t nat


# drop all traffic except outgoing
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# allow localhost communication
iptables -A INPUT -i lo -j ACCEPT

# basic rules for accessing the internet and the server from your lan
iptables -A INPUT -p tcp --dport 22 -d ${LAN} -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -d ${LAN} -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -j ACCPEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# start allowing access to ssh/http from outside
iptables -A INPUT -i ${WAN} -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i ${WAN} -p tcp --dport 80 -m state --state NEW -j ACCEPT

# allowing already created connections to established related connected
iptables -A INPUT -i ${WAN} -m state --state ESTABLISHED,RELATED -j ACCEPT


Maybe this helps you a bit. You can continue with this.

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
cowboy0629
Tux's lil' helper
Tux's lil' helper


Joined: 11 May 2016
Posts: 76
Location: Kawartha Lakes, Ontario

PostPosted: Mon Feb 27, 2017 11:49 pm    Post subject: Reply with quote

bbgermany wrote:
Hi,

im not familiar with dnsmasq, since im always using bind. But i think you should redo your firewall rules. At first you should restart with all to drop and then open up port by port starting with ssh from the internal network.

Code:

#!/bin/bash

# define interfaces
WAN="ppp0"
LAN="enp17s0"

# flush rules
iptables -F
iptables -F -t nat


# drop all traffic except outgoing
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# allow localhost communication
iptables -A INPUT -i lo -j ACCEPT

# basic rules for accessing the internet and the server from your lan
iptables -A INPUT -p tcp --dport 22 -d ${LAN} -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -d ${LAN} -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -j ACCPEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# start allowing access to ssh/http from outside
iptables -A INPUT -i ${WAN} -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i ${WAN} -p tcp --dport 80 -m state --state NEW -j ACCEPT

# allowing already created connections to established related connected
iptables -A INPUT -i ${WAN} -m state --state ESTABLISHED,RELATED -j ACCEPT


Maybe this helps you a bit. You can continue with this.

greets, bb


I will try this but usually when I change that iptables everything quits working.. let you know how things go in a few
Back to top
View user's profile Send private message
cboldt
l33t
l33t


Joined: 24 Aug 2005
Posts: 829

PostPosted: Tue Feb 28, 2017 1:19 am    Post subject: Reply with quote

Howdy partner ...

From inside the LAN, you want `nslookup cowboy0629.ddns.net` to show your dnsmasq machine as the "Server", and you do NOT want LAN packets to run outside the router, then back to 76.69.25.182 (the other side of the router) ... you want the LAN traffic to stay on the LAN, 192.168.0/24 I think is what you are using.

This is "straight network traffic," and the firewalls in effect will be on the machine seeking to make an http (or https) connection (rarely an issue here), and the machine that is hosting http and https connections and serving webpages. I don't think your gw1 (router) is also hosting web pages, but I am just assuming that.

Now that I think about it, I don't have a crystal clear picture of your network. Mine is setup like this, looking in from the outside ...

CableModem (out of the picture to the LAN) -> ASUS Router [192.168.0.10 to the LAN]

ASUS Router has a fixed IP, asserted by itself, reinforced by dhcp server (dnsmasq) elsewhere. ASUS router has dhcp functionality, turned OFF. CableModem is 72.224.158.246 to the outside world, some timewarnercable name associated with it. The machines on the LAN (including the dhcp server) are clueless about CableModem, but I know it as 192.168.100.1

ASUS Router sends packets for port 25, and a few others, to 192.168.0.1
ASUS Router sends packets for port 80 to 192.168.0.2

The IP addresses for ALL machines on 192.168.0/24 are at least tracked (and most are assigned) by dnsmasq running on 192.168.0.1 [hypoid]. The machine at 192.168.0.1 asserts a fixed IP from the get-go, in all ways. The machine at 192.168.0.2 [involute] gets that IP address by dint of the IP-by-MACID thing you now know about, and it uses dhcp when starting the network.

ASUS Router gets 192.168.0.10, first by asserting it, itself, and also by these lines in dnsmasq.conf (or its cousins) ...

Code:
dhcp-option=option:router,192.168.0.10
dhcp-host=e0:3f:49:9d:bd:08,router,192.168.0.10         # ASUS RT-AC66W (router)
host-record=router,router.curvate.net,192.168.0.10


Probably some belt and suspenders there, between asserting a fixed IP, etc. ... I think the reason for at least one of those lines is to insure any machine on the net will receive "192.168.0.10" when asking `nslookup router`

So, other than ASUS router (and another ASUS dohicky used as an access point), and "hypoid," all the machines use dhcp to get a network address. Some of the machines get a predictable address, and need a predictable LAN address because "router" sends certain packets from the outside to fixed IPs.

192.168.0.1 [hypoid] gets and serves mail, and is the sshd point of contact with the outside
192.168.0.3 [hypoid-2] is a honeypot
Back to top
View user's profile Send private message
cowboy0629
Tux's lil' helper
Tux's lil' helper


Joined: 11 May 2016
Posts: 76
Location: Kawartha Lakes, Ontario

PostPosted: Tue Feb 28, 2017 2:07 am    Post subject: Reply with quote

Hi .. well the above iptables I tried them and they did not return to prompt when I ran it and locked everyone out of network internal and external...


cboldt

You are helping me with the dnsmasq as well..


but my network is

BELL ADSL MODEM --> GW1 (Gentoo Home Router) --> LAN ACER (GENTOO LAPTOP)
GW2 (DESKTOP GENTOO)
IMAC
1 WINBLOWS LAPTOP
1 WINBLOWS DESKTOP
4 SMART TV / XBOXES / WII etc
TP-LINK WIRELESS ROUTER (Set in Bridge MODE)
for wireless connections

APACHE Server is running on GW1 ... I'm now beggining to wonder if this might have been a mistake and maybe I should be moving it to another machine??
Back to top
View user's profile Send private message
cboldt
l33t
l33t


Joined: 24 Aug 2005
Posts: 829

PostPosted: Tue Feb 28, 2017 2:39 am    Post subject: Reply with quote

You can run the router and webserver on the same machine, no sweat.

I'm going to check the other thread, but in case the info isn't there, do I have these parts correct:

gw1 is at 192.168.0.1, acts as DNS and webserver and router for 192.168.0/24
gw1 has a fixed IP due to /etc/conf.d/net (or whatever you use to bring the interface up)

gw2 and some other machines have a"quasi-fixed" IP address, assigned by dnsmasq running out of gw1
gw2 and some other machines start network interface using dhcp

Out of curiosity, how does the Bell modem connect to gw1? USB?
Back to top
View user's profile Send private message
cowboy0629
Tux's lil' helper
Tux's lil' helper


Joined: 11 May 2016
Posts: 76
Location: Kawartha Lakes, Ontario

PostPosted: Tue Feb 28, 2017 3:43 am    Post subject: Reply with quote

Correct for GW1...

there is 2 Ethernet Cards in GW1 ... enp17s0 = 192.168.0.1 (internal network)
enp0s25 = DYNAMIC IP (BELL MODEM) PPPOE

once GW1 connects to PPPOE the enp0s25 gets changed to ppp0

Code:

enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::52e5:49ff:fe71:c030  prefixlen 64  scopeid 0x20<link>
        ether 50:e5:49:71:c0:30  txqueuelen 1000  (Ethernet)
        RX packets 385534  bytes 544405091 (519.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 251237  bytes 22394440 (21.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xfc800000-fc820000

enp17s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.1  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::32b5:c2ff:fe00:7efb  prefixlen 64  scopeid 0x20<link>
        ether 30:b5:c2:00:7e:fb  txqueuelen 1000  (Ethernet)
        RX packets 252865  bytes 20420397 (19.4 MiB)
        RX errors 0  dropped 7  overruns 0  frame 0
        TX packets 386310  bytes 539841345 (514.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1492
        inet 74.12.68.106  netmask 255.255.255.255  destination 10.11.3.121
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 385493  bytes 534379553 (509.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 251185  bytes 15860019 (15.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



Correct GW2 and other machines are connecting DHCP.. I was manual connecting them as STATIC got got tired of keeping track of all the machines phones tablets etc so I changed DNS to allow 20 DHCP LEASES for friends and family that come over etc.. been slowly adding all local devices to assign a static by mac address


Bell Modem connects enp0s25 ethernet
Back to top
View user's profile Send private message
cboldt
l33t
l33t


Joined: 24 Aug 2005
Posts: 829

PostPosted: Tue Feb 28, 2017 10:59 am    Post subject: Reply with quote

Thanks for the details on network setup.

That suggested iptables setup above has a couple big mistakes in it. The "-d ${LAN}" parameter will throw an error.

"-d" is "destination IP [address] or network [address]" Your LAN is 192.168.0/24
"-i" is "interface [device]

Seeing as how you have two separate interface devices, the port opening firewall rules for gw1 (this is the only machine that has two interface devices) according to the example should be ...

Code:
# basic rules for accessing the internet and the server from your lan
iptables -A INPUT -i ${LAN} -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i ${LAN} -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -j ACCPEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# start allowing access to ssh/http from outside
iptables -A INPUT -i ${WAN} -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i ${WAN} -p tcp --dport 80 -m state --state NEW -j ACCEPT


Those port rules assume you use port 22 for sshd, and also don't have an opening for https.

Also, gw1 is doing DNS for packets sent to IT (192.168.0.1), and is doing DHCP for the rest of the network, so it needs to open ports for those services to work. DNS queries are sent to port 53 of a definite single IP address (the nameserver machine), DHCP is a little more complicated, but opening ports 67 and 68 get the job done. DHCP is a little more complicated because the requesting machine, knowing ZERO about the network, broadcasts its request to 255.255.255.255.[/code]
Back to top
View user's profile Send private message
gordonb3
Apprentice
Apprentice


Joined: 01 Jul 2015
Posts: 185

PostPosted: Fri Mar 24, 2017 3:33 pm    Post subject: Reply with quote

The proper iptables rules to do this are:

Code:

iptables -t nat -A PREROUTING -p tcp -d ${WAN_IP} -s ${LAN_NET} --dport 80  -j DNAT --to-destination ${INTERNAL_IP}
iptables -t nat -A POSTROUTING -p tcp -d ${INTERNAL_IP} -s ${LAN_NET} --dport 80  -j MASQUERADE

Yes, this will require that you reload your firewall rules when the external IP changes. You can do this by adding a DHCP exit hook.

Alternative:
If you use dnsmasq as your internal DHCP and DNS server, you can make that include a secondary hosts file ('addn-hosts') in which you map your ddns names straight to the internal server.
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Mon Mar 27, 2017 5:29 am    Post subject: Reply with quote

cboldt wrote:
Thanks for the details on network setup.

That suggested iptables setup above has a couple big mistakes in it. The "-d ${LAN}" parameter will throw an error.

"-d" is "destination IP [address] or network [address]" Your LAN is 192.168.0/24
"-i" is "interface [device]

Seeing as how you have two separate interface devices, the port opening firewall rules for gw1 (this is the only machine that has two interface devices) according to the example should be ...

Code:
# basic rules for accessing the internet and the server from your lan
iptables -A INPUT -i ${LAN} -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i ${LAN} -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -j ACCPEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# start allowing access to ssh/http from outside
iptables -A INPUT -i ${WAN} -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i ${WAN} -p tcp --dport 80 -m state --state NEW -j ACCEPT


Those port rules assume you use port 22 for sshd, and also don't have an opening for https.

Also, gw1 is doing DNS for packets sent to IT (192.168.0.1), and is doing DHCP for the rest of the network, so it needs to open ports for those services to work. DNS queries are sent to port 53 of a definite single IP address (the nameserver machine), DHCP is a little more complicated, but opening ports 67 and 68 get the job done. DHCP is a little more complicated because the requesting machine, knowing ZERO about the network, broadcasts its request to 255.255.255.255.[/code]


Darn, thank you, you're right. I have overseen this as i wrote it (notice to myself: only do one thing at the same time...) ;)

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum