| View previous topic :: View next topic |
| Author |
Message |
cowboy0629
Tux's lil' helper
Joined: 11 May 2016
Posts: 105
Location: Kawartha Lakes, Ontario
|
 Posted: Mon Feb 13, 2017 2:17 am Post subject: view my websites on local network |
 |
|
Hi all I am having a issue with my web-server I can view my websites from the internet but I am not able to view them from my local machines....
I have 3 sites on my server..
if I type in 192.168.0.1 / or my external IP ADDRESS --> I get my local website that shows me statistics of my internet connection and other stats of my network
when on a computer on the local network if I type in the browser
(local network)
http://cowboy0629.ddns.net --> This site can’t be reached cowboy0629.ddns.net refused to connect.
http://needfulthings.ddns.net --> This site can't be reached needfulthings.ddns.net refused to connect.
(external network ie. Phone/work computer/friends house etc..)
Sites Connect as wanted
Can some one help me get it to work on internal network I beleave I have them setup as virtual servers so each address apache sees it sends them to the website for that address..
Thanks in advance
Mike Dennison
Last edited by cowboy0629 on Tue Feb 14, 2017 12:41 pm; edited 2 times in total |
|
| Back to top |
|
 |
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9880
Location: almost Mile High in the USA
|
| Posted: Mon Feb 13, 2017 7:35 am Post subject: |
|
|
How is your router set up? What is your router?
There are some routers out there that with stock firmware, does not redirect packets back into your network and thus exhibit behavior like what you see here. I recall my old Actiontec GT701 or something like that having this issue if not set up properly (it's a DSL router/modem). I don't recall exactly what I did to "solve" this issue, part of the problem is that I run a pfSense router now instead of using the DSL router.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
cowboy0629
Tux's lil' helper
Joined: 11 May 2016
Posts: 105
Location: Kawartha Lakes, Ontario
|
| Posted: Mon Feb 13, 2017 4:05 pm Post subject: |
|
|
My router is gentoo and im using dnsmasq with it to handle my dhp clients on my network
So Im thinking I may have to change something in my iptables from what you are saying 
I use a script file so if I change something and it don't work i can change the iptables back quickly my family members tend to get real upset if the internet goes down for more then a couple minutes
| Code: |
#!/bin/bash
#
# JUNE 26 2016
#
### This *has* to be loaded, or no NAT!!!
modprobe ipt_MASQUERADE
#WAN (eth0=enp0s25) --> Outside Network
#export WAN="enp0s25"
export WAN="ppp0"
#LAN (eth1=enp17s0) --> Inside Network
export LAN="enp17s0"
#Other Varibles
export SSHD_PORT="28"
export HTTP_PORT="80"
export MYSTIC_TELNET_PORT="2320"
export MYSTIC_SSH_PORT="2820"
export MYSTIC_FTP_PORT="2120"
#export SBBS_TELNET_PORT="2321"
#export SBBS_FTP_PORT="21"
#export SBBS_HTTP_PORT="8081"
#export SBBS_SSH_PORT="2821"
#Flush current rules
iptables -F
iptables -t nat -F
iptables -X
#Setup default policies to handle unmatched traffic
#iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#Locks Services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT
#Allow access to the ssh server from the WAN
iptables -A INPUT -p tcp --dport ${SSHD_PORT} -j ACCEPT
#Apache WebServer Rules
iptables -A INPUT -p tcp --dport ${HTTP_PORT} -j ACCEPT
#Drop TCP/UDP packets to privleged Ports:
iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
#Add NAT Rules
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.255.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
#Port Forwarding
# (Forward Outside to GW2)
#iptables -t nat -A PREROUTING -p tcp --dport 28 -i ${WAN} -j DNAT --to 192.168$
#iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168$
#BBS RULES
##MYSTIC BBS
#iptables -t nat -A PREROUTING -p tcp --dport ${MYSTIC_TELNET_PORT} -i ${WAN} -$
#iptables -t nat -A PREROUTING -p tcp --dport ${MYSTIC_SSH_PORT} -i ${WAN} -j D$
#iptables -t nat -A PREROUTING -p tcp --dport ${MYSTIC_FTP_PORT} -i ${WAN} -j D$
#iptables -t nat -A PREROUTING -p tcp --dport 8080 -i ${WAN} -j DNAT --to 192.1$
#iptables -t nat -A PREROUTING -p tcp --dport 2320 -i ${WAN} -j DNAT --to 192.1$
##SBBS
#iptables -t nat -A PREROUTING -p tcp --dport ${SBBS_SSH_PORT} -i ${WAN} -j DNA$
#iptables -t nat -A PREROUTING -p tcp --dport ${SBBS_TELNET_PORT} -i ${WAN} -j $
#iptables -t nat -A PREROUTING -p tcp --dport ${SBBS_HTTP_PORT} -i ${WAN} -j DN$
#iptables -t nat -A PREROUTING -p tcp --dport ${SBBS_FTP_PORT} -i ${WAN} -j DNA$
#VNC RULES
##GW2
###Mike
iptables -t nat -A PREROUTING -p tcp --dport 5901 -i ${WAN} -j DNAT --to 192.16$
iptables -t nat -A PREROUTING -p tcp --dport 5801 -i ${WAN} -j DNAT --to 192.16$
#iptables -t nat -A PREROUTING -p tcp --dport 6001 -i ${WAN} -j DNAT --to 192.1$
#Xbox Live (Rules for my XboxOne and Xbox360)
iptables -t nat -A PREROUTING -p udp --dport 88 -i ${WAN} -j DNAT --to 192.168.$
iptables -t nat -A PREROUTING -p tcp --dport 3074 -i ${WAN} -j DNAT --to 192.16$
iptables -t nat -A PREROUTING -p udp --dport 3074 -i ${WAN} -j DNAT --to 192.16$
##iptables -t nat -A PREROUTING -p tcp --dport 53 -i ${WAN} -j DNAT --to 192.16$
##iptables -t nat -A PREROUTING -p udp --dport 53 -i ${WAN} -j DNAT --to 192.16$
##iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.16$
##iptables -t nat -A PREROUTING -p udp --dport 500 -i ${WAN} -j DNAT --to 192.1$
iptables -t nat -A PREROUTING -p udp --dport 3544 -i ${WAN} -j DNAT --to 192.16$
iptables -t nat -A PREROUTING -p udp --dport 4500 -i ${WAN} -j DNAT --to 192.16$
#Inform the kernel that IP forwarding is OK:
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
#Instruct the IPtables daemon to save the changes to the rules
/etc/init.d/iptables save
|
|
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9880
Location: almost Mile High in the USA
|
| Posted: Mon Feb 13, 2017 4:25 pm Post subject: |
|
|
Are you getting "connection refused" or "timeout" ?
What happens if you remove the forward drop rule...at least as a test?
| Code: | | #iptables -P FORWARD DROP |
What is the router configuration - is it a plain router where it has a public IP address and forwards only private addresses?
When I was using a regular Linux box as a router as a "plain" router (IP addresses/networks on each interface are distinct - no bridging) I only had to run the masquerade command to let data to flow through. Of course incoming connects needs their own firewall hole.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
cowboy0629
Tux's lil' helper
Joined: 11 May 2016
Posts: 105
Location: Kawartha Lakes, Ontario
|
| Posted: Mon Feb 13, 2017 9:01 pm Post subject: |
|
|
| on home network I am getting connection refused when I try to connect to my apache server from my local network.. but I can connect from the outside in to the websites.. I will try changing that line once I get home I don't want to get locked out.. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9880
Location: almost Mile High in the USA
|
| Posted: Mon Feb 13, 2017 11:32 pm Post subject: |
|
|
OK, connection refused versus connection timeout is a key hint. Which means that your home network machine are trying to connect to something but what... It also means that that DROP line isn't the issue as if the packet was dropped, it would connection timeout...
What is the IP address of the vhosts' fqdn that your inside network picked up?
Is your webserver listening to that address?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
cowboy0629
Tux's lil' helper
Joined: 11 May 2016
Posts: 105
Location: Kawartha Lakes, Ontario
|
| Posted: Tue Feb 14, 2017 1:23 am Post subject: |
|
|
| eccerr0r wrote: | Are you getting "connection refused" or "timeout" ?
What happens if you remove the forward drop rule...at least as a test?
| Code: | | #iptables -P FORWARD DROP |
What is the router configuration - is it a plain router where it has a public IP address and forwards only private addresses?
When I was using a regular Linux box as a router as a "plain" router (IP addresses/networks on each interface are distinct - no bridging) I only had to run the masquerade command to let data to flow through. Of course incoming connects needs their own firewall hole. |
So I commented out the line like you suggested and that I still got connection refused from internal net... but could not access anything including ssh from outside world..
outside in would just sit like it was trying to load the webpage but nothing happend |
|
| Back to top |
|
|
cowboy0629
Tux's lil' helper
Joined: 11 May 2016
Posts: 105
Location: Kawartha Lakes, Ontario
|
| Posted: Tue Feb 14, 2017 1:29 am Post subject: |
|
|
| eccerr0r wrote: | OK, connection refused versus connection timeout is a key hint. Which means that your home network machine are trying to connect to something but what... It also means that that DROP line isn't the issue as if the packet was dropped, it would connection timeout...
What is the IP address of the vhosts' fqdn that your inside network picked up?
Is your webserver listening to that address? |
I'm sorry Im not sure what you are asking.. .... the apache server is on my router if that helps... so 192.168.0.1 but when i type that in it brings up a page my friend made for me that tracks my networks stats.... |
|
| Back to top |
|
|
cowboy0629
Tux's lil' helper
Joined: 11 May 2016
Posts: 105
Location: Kawartha Lakes, Ontario
|
| Posted: Tue Feb 14, 2017 2:09 am Post subject: |
|
|
This is my virtual host files
http://needfulthings.ddns.net
| Code: |
# Virtual Host For needfulthings.ddns.net
# Created 09/07/2016
# domain: needfulthings.ddns.net
# public: /var/www/public_html/needfulthings.ddns.net/
<VirtualHost *:80>
# Admin email, Server Name (domain name) and any aliases
ServerAdmin m.dennison@bell.net
ServerName needfulthings.ddns.net
ServerAlias needfulthings.ddns.net
# Index file and Document Root (where the public files are located)
DirectoryIndex index.html
DocumentRoot /var/www/public_html/needfulthings.ddns.net/public
# Custom log file locations
LogLevel warn
ErrorLog /var/www/public_html/needfulthings.ddns.net/log/error.log
CustomLog /var/www/public_html/needfulthings.ddns.net/log/access.log combined
<Directory "/var/www/public_html/needfulthings.ddns.net">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
|
http://cowboy0629.ddns.net
| Code: |
# Virtual Host For cowboy0629.ddns.net
# Created 09/07/2016
# domain: cowboy0629.ddns.net
# public: /var/www/public_html/cowboy0629.ddns.net/
<VirtualHost *:80>
# Admin email, Server Name (domain name) and any aliases
ServerAdmin m.dennison@bell.net
ServerName www.cowboy0629.ddns.net
ServerAlias cowboy0629.ddns.net
# Index file and Document Root (where the public files are located)
DirectoryIndex index.html
DocumentRoot /var/www/public_html/cowboy0629.ddns.net/public
# Custom log file locations
LogLevel warn
ErrorLog /var/www/public_html/cowboy0629.ddns.net/log/error.log
CustomLog /var/www/public_html/cowboy0629.ddns.net/log/access.log combined
<Directory "/var/www/public_html/cowboy0629.ddns.net">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
|
|
|
| Back to top |
|
|
cowboy0629
Tux's lil' helper
Joined: 11 May 2016
Posts: 105
Location: Kawartha Lakes, Ontario
|
| Posted: Tue Feb 14, 2017 2:19 am Post subject: |
|
|
I found this on a website.. looks like what I might need to do to get it working on my internal network BUT .. my external ip changes all the time this is why I need to use DDNS service
https://httpd.apache.org/docs/2.4/vhosts/examples.html#page-header
| Code: |
Serving the same content on different IP addresses (such as an internal and external address).
The server machine has two IP addresses (192.168.1.1 and 172.20.30.40). The machine is sitting between an internal (intranet) network and an external (internet) network. Outside of the network, the name server.example.com resolves to the external address (172.20.30.40), but inside the network, that same name resolves to the internal address (192.168.1.1).
The server can be made to respond to internal and external requests with the same content, with just one <VirtualHost> section.
<VirtualHost 192.168.1.1 172.20.30.40>
DocumentRoot "/www/server1"
ServerName server.example.com
ServerAlias server
</VirtualHost>
Now requests from both networks will be served from the same <VirtualHost>.
Note:
On the internal network, one can just use the name server rather than the fully qualified host name server.example.com.
Note also that, in the above example, you can replace the list of IP addresses with *, which will cause the server to respond the same on all addresses.
|
|
|
| Back to top |
|
|
cowboy0629
Tux's lil' helper
Joined: 11 May 2016
Posts: 105
Location: Kawartha Lakes, Ontario
|
| Posted: Tue Feb 14, 2017 3:08 am Post subject: |
|
|
Thank-you eccerr0r for your help on this problem.. I figured out how to fix this problem so I can test my websites on local machines... I hate when people mark a thread solved but don't tell us how it was solved so here goes.. The fix was simple.
To get your local networked machines to see the websites on the Apache Virtual Hosts add these lines to your hosts files
| Code: |
nano /etc/hosts
192.168.0.1 <web-address A>
192.168.0.1 <web-address B>
change 192.168.0.1 --> YOUR APACHE WEB-SERVER ADDRESS
change <web-address A> --> Address you assined to you virtual hosts EX. needfulthings.ddns.net
|
|
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9880
Location: almost Mile High in the USA
|
| Posted: Tue Feb 14, 2017 4:05 am Post subject: |
|
|
Ah yeah that would do it. Crap, wish there was an easy way to detect /etc/hosts issues. Looks like you changed from 192.168.0.1 to 192.168.1.1, slight but deadly change...
But in any case, it's probably best not to put in anything but local names into /etc/hosts if your DNS server is working, unless there's a specific need - like blocking access to websites by name or if your DNS is wrong... That way if the external name changes IP, you'd automatically pick up the name as well.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
cowboy0629
Tux's lil' helper
Joined: 11 May 2016
Posts: 105
Location: Kawartha Lakes, Ontario
|
| Posted: Tue Feb 14, 2017 12:46 pm Post subject: |
|
|
| eccerr0r wrote: | Ah yeah that would do it. Crap, wish there was an easy way to detect /etc/hosts issues. Looks like you changed from 192.168.0.1 to 192.168.1.1, slight but deadly change...
But in any case, it's probably best not to put in anything but local names into /etc/hosts if your DNS server is working, unless there's a specific need - like blocking access to websites by name or if your DNS is wrong... That way if the external name changes IP, you'd automatically pick up the name as well. |
I just realized that this did not work ... (its ok for computers that never leave the house) but guess what as soon as I took my laptop to work I was no longer able to access my websites until I comment out the new added entries into Host files...
I have tried to set up a local dns server but have not had any luck.. any ideas what I may be doing wrong for this problem... |
|
| Back to top |
|
|
bbgermany
Veteran
Joined: 21 Feb 2005
Posts: 1844
Location: Oranienburg/Germany
|
| Posted: Wed Feb 15, 2017 6:26 am Post subject: |
|
|
Hi,
what do you get in return to the following commands:
| Code: |
nslookup cowboy0629.ddns.net
nslookup needfulthings.ddns.net
|
from your local network? It seems like a little local resolving issue caused by your dnsmasq. Your apache configuration is correct with *:80 or *443, since you want to listen all websites on all interfaces.
Can you additionally post your /etc/nsswitch.conf please. Maybe there lays the issue according to your hostfile entries.
greets, bb
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB |
|
| Back to top |
|
|
cowboy0629
Tux's lil' helper
Joined: 11 May 2016
Posts: 105
Location: Kawartha Lakes, Ontario
|
| Posted: Thu Feb 16, 2017 3:56 pm Post subject: |
|
|
From GW1 - Gentoo Router
| Code: |
mike@GW1 ~/ $ nslookup cowboy0629.ddns.net
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: cowboy0629.ddns.net
Address: 76.69.25.182
mike@GW1 ~/ $ nslookup needfulthings.ddns.net
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: needfulthings.ddns.net
Address: 76.69.25.182
|
From a computer on Local network
| Code: |
mike@GW2 mike/ # nslookup cowboy0629.ddns.net
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: cowboy0629.ddns.net
Address: 76.69.25.182
mike@GW2 nslookup needfulthings.ddns.net
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: needfulthings.ddns.net
Address: 76.69.25.182
|
I didn't bother posting remote because I figured you probably already knew the anser to that...
should I have the auth-dns USE FLAG enabled ?
here is what I have installed for dnsmasq
| Code: |
mike@GW1 ~/ $ eix dnsmasq
[U] net-dns/dnsmasq
Available versions: 2.76 {auth-dns conntrack dbus +dhcp dhcp-tools dnssec idn +inotify ipv6 lua nls script selinux static tftp LINGUAS="de es fi fr id it no pl pt_BR ro"}
Installed versions: 2.75(19:54:19 05/18/16)(dbus dhcp inotify ipv6 nls -auth-dns -conntrack -dhcp-tools -dnssec -idn -lua -script -selinux -static -tftp LINGUAS="-de -es -fi -fr -id -it -no -pl -pt_BR -ro")
Homepage: http://www.thekelleys.org.uk/dnsmasq/doc.html
Description: Small forwarding DNS server
|
|
|
| Back to top |
|
|
bbgermany
Veteran
Joined: 21 Feb 2005
Posts: 1844
Location: Oranienburg/Germany
|
| Posted: Fri Feb 17, 2017 6:09 am Post subject: |
|
|
Hi,
im not familiar with dnsmasq, since im always using bind. But i think you should redo your firewall rules. At first you should restart with all to drop and then open up port by port starting with ssh from the internal network.
| Code: |
#!/bin/bash
# define interfaces
WAN="ppp0"
LAN="enp17s0"
# flush rules
iptables -F
iptables -F -t nat
# drop all traffic except outgoing
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# allow localhost communication
iptables -A INPUT -i lo -j ACCEPT
# basic rules for accessing the internet and the server from your lan
iptables -A INPUT -p tcp --dport 22 -d ${LAN} -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -d ${LAN} -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -j ACCPEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
# start allowing access to ssh/http from outside
iptables -A INPUT -i ${WAN} -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i ${WAN} -p tcp --dport 80 -m state --state NEW -j ACCEPT
# allowing already created connections to established related connected
iptables -A INPUT -i ${WAN} -m state --state ESTABLISHED,RELATED -j ACCEPT
|
Maybe this helps you a bit. You can continue with this.
greets, bb
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB |
|
| Back to top |
|
|
cowboy0629
Tux's lil' helper
Joined: 11 May 2016
Posts: 105
Location: Kawartha Lakes, Ontario
|
| Posted: Mon Feb 27, 2017 11:49 pm Post subject: |
|
|
| bbgermany wrote: | Hi,
im not familiar with dnsmasq, since im always using bind. But i think you should redo your firewall rules. At first you should restart with all to drop and then open up port by port starting with ssh from the internal network.
| Code: |
#!/bin/bash
# define interfaces
WAN="ppp0"
LAN="enp17s0"
# flush rules
iptables -F
iptables -F -t nat
# drop all traffic except outgoing
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# allow localhost communication
iptables -A INPUT -i lo -j ACCEPT
# basic rules for accessing the internet and the server from your lan
iptables -A INPUT -p tcp --dport 22 -d ${LAN} -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -d ${LAN} -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -j ACCPEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
# start allowing access to ssh/http from outside
iptables -A INPUT -i ${WAN} -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i ${WAN} -p tcp --dport 80 -m state --state NEW -j ACCEPT
# allowing already created connections to established related connected
iptables -A INPUT -i ${WAN} -m state --state ESTABLISHED,RELATED -j ACCEPT
|
Maybe this helps you a bit. You can continue with this.
greets, bb |
I will try this but usually when I change that iptables everything quits working.. let you know how things go in a few |
|
| Back to top |
|
|
cboldt
Veteran
Joined: 24 Aug 2005
Posts: 1046
|
| Posted: Tue Feb 28, 2017 1:19 am Post subject: |
|
|
Howdy partner ...
From inside the LAN, you want `nslookup cowboy0629.ddns.net` to show your dnsmasq machine as the "Server", and you do NOT want LAN packets to run outside the router, then back to 76.69.25.182 (the other side of the router) ... you want the LAN traffic to stay on the LAN, 192.168.0/24 I think is what you are using.
This is "straight network traffic," and the firewalls in effect will be on the machine seeking to make an http (or https) connection (rarely an issue here), and the machine that is hosting http and https connections and serving webpages. I don't think your gw1 (router) is also hosting web pages, but I am just assuming that.
Now that I think about it, I don't have a crystal clear picture of your network. Mine is setup like this, looking in from the outside ...
CableModem (out of the picture to the LAN) -> ASUS Router [192.168.0.10 to the LAN]
ASUS Router has a fixed IP, asserted by itself, reinforced by dhcp server (dnsmasq) elsewhere. ASUS router has dhcp functionality, turned OFF. CableModem is 72.224.158.246 to the outside world, some timewarnercable name associated with it. The machines on the LAN (including the dhcp server) are clueless about CableModem, but I know it as 192.168.100.1
ASUS Router sends packets for port 25, and a few others, to 192.168.0.1
ASUS Router sends packets for port 80 to 192.168.0.2
The IP addresses for ALL machines on 192.168.0/24 are at least tracked (and most are assigned) by dnsmasq running on 192.168.0.1 [hypoid]. The machine at 192.168.0.1 asserts a fixed IP from the get-go, in all ways. The machine at 192.168.0.2 [involute] gets that IP address by dint of the IP-by-MACID thing you now know about, and it uses dhcp when starting the network.
ASUS Router gets 192.168.0.10, first by asserting it, itself, and also by these lines in dnsmasq.conf (or its cousins) ...
| Code: | dhcp-option=option:router,192.168.0.10
dhcp-host=e0:3f:49:9d:bd:08,router,192.168.0.10 # ASUS RT-AC66W (router)
host-record=router,router.curvate.net,192.168.0.10 |
Probably some belt and suspenders there, between asserting a fixed IP, etc. ... I think the reason for at least one of those lines is to insure any machine on the net will receive "192.168.0.10" when asking `nslookup router`
So, other than ASUS router (and another ASUS dohicky used as an access point), and "hypoid," all the machines use dhcp to get a network address. Some of the machines get a predictable address, and need a predictable LAN address because "router" sends certain packets from the outside to fixed IPs.
192.168.0.1 [hypoid] gets and serves mail, and is the sshd point of contact with the outside
192.168.0.3 [hypoid-2] is a honeypot |
|
| Back to top |
|
|
cowboy0629
Tux's lil' helper
Joined: 11 May 2016
Posts: 105
Location: Kawartha Lakes, Ontario
|
| Posted: Tue Feb 28, 2017 2:07 am Post subject: |
|
|
Hi .. well the above iptables I tried them and they did not return to prompt when I ran it and locked everyone out of network internal and external...
cboldt
You are helping me with the dnsmasq as well..
but my network is
BELL ADSL MODEM --> GW1 (Gentoo Home Router) --> LAN ACER (GENTOO LAPTOP)
GW2 (DESKTOP GENTOO)
IMAC
1 WINBLOWS LAPTOP
1 WINBLOWS DESKTOP
4 SMART TV / XBOXES / WII etc
TP-LINK WIRELESS ROUTER (Set in Bridge MODE)
for wireless connections
APACHE Server is running on GW1 ... I'm now beggining to wonder if this might have been a mistake and maybe I should be moving it to another machine?? |
|
| Back to top |
|
|
cboldt
Veteran
Joined: 24 Aug 2005
Posts: 1046
|
| Posted: Tue Feb 28, 2017 2:39 am Post subject: |
|
|
You can run the router and webserver on the same machine, no sweat.
I'm going to check the other thread, but in case the info isn't there, do I have these parts correct:
gw1 is at 192.168.0.1, acts as DNS and webserver and router for 192.168.0/24
gw1 has a fixed IP due to /etc/conf.d/net (or whatever you use to bring the interface up)
gw2 and some other machines have a"quasi-fixed" IP address, assigned by dnsmasq running out of gw1
gw2 and some other machines start network interface using dhcp
Out of curiosity, how does the Bell modem connect to gw1? USB? |
|
| Back to top |
|
|
cowboy0629
Tux's lil' helper
Joined: 11 May 2016
Posts: 105
Location: Kawartha Lakes, Ontario
|
| Posted: Tue Feb 28, 2017 3:43 am Post subject: |
|
|
Correct for GW1...
there is 2 Ethernet Cards in GW1 ... enp17s0 = 192.168.0.1 (internal network)
enp0s25 = DYNAMIC IP (BELL MODEM) PPPOE
once GW1 connects to PPPOE the enp0s25 gets changed to ppp0
| Code: |
enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::52e5:49ff:fe71:c030 prefixlen 64 scopeid 0x20<link>
ether 50:e5:49:71:c0:30 txqueuelen 1000 (Ethernet)
RX packets 385534 bytes 544405091 (519.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 251237 bytes 22394440 (21.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0xfc800000-fc820000
enp17s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::32b5:c2ff:fe00:7efb prefixlen 64 scopeid 0x20<link>
ether 30:b5:c2:00:7e:fb txqueuelen 1000 (Ethernet)
RX packets 252865 bytes 20420397 (19.4 MiB)
RX errors 0 dropped 7 overruns 0 frame 0
TX packets 386310 bytes 539841345 (514.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1492
inet 74.12.68.106 netmask 255.255.255.255 destination 10.11.3.121
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 385493 bytes 534379553 (509.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 251185 bytes 15860019 (15.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
Correct GW2 and other machines are connecting DHCP.. I was manual connecting them as STATIC got got tired of keeping track of all the machines phones tablets etc so I changed DNS to allow 20 DHCP LEASES for friends and family that come over etc.. been slowly adding all local devices to assign a static by mac address
Bell Modem connects enp0s25 ethernet |
|
| Back to top |
|
|
cboldt
Veteran
Joined: 24 Aug 2005
Posts: 1046
|
| Posted: Tue Feb 28, 2017 10:59 am Post subject: |
|
|
Thanks for the details on network setup.
That suggested iptables setup above has a couple big mistakes in it. The "-d ${LAN}" parameter will throw an error.
"-d" is "destination IP [address] or network [address]" Your LAN is 192.168.0/24
"-i" is "interface [device]
Seeing as how you have two separate interface devices, the port opening firewall rules for gw1 (this is the only machine that has two interface devices) according to the example should be ...
| Code: | # basic rules for accessing the internet and the server from your lan
iptables -A INPUT -i ${LAN} -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i ${LAN} -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -j ACCPEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
# start allowing access to ssh/http from outside
iptables -A INPUT -i ${WAN} -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i ${WAN} -p tcp --dport 80 -m state --state NEW -j ACCEPT |
Those port rules assume you use port 22 for sshd, and also don't have an opening for https.
Also, gw1 is doing DNS for packets sent to IT (192.168.0.1), and is doing DHCP for the rest of the network, so it needs to open ports for those services to work. DNS queries are sent to port 53 of a definite single IP address (the nameserver machine), DHCP is a little more complicated, but opening ports 67 and 68 get the job done. DHCP is a little more complicated because the requesting machine, knowing ZERO about the network, broadcasts its request to 255.255.255.255.[/code] |
|
| Back to top |
|
|
gordonb3
Apprentice
Joined: 01 Jul 2015
Posts: 185
|
| Posted: Fri Mar 24, 2017 3:33 pm Post subject: |
|
|
The proper iptables rules to do this are:
| Code: |
iptables -t nat -A PREROUTING -p tcp -d ${WAN_IP} -s ${LAN_NET} --dport 80 -j DNAT --to-destination ${INTERNAL_IP}
iptables -t nat -A POSTROUTING -p tcp -d ${INTERNAL_IP} -s ${LAN_NET} --dport 80 -j MASQUERADE
|
Yes, this will require that you reload your firewall rules when the external IP changes. You can do this by adding a DHCP exit hook.
Alternative:
If you use dnsmasq as your internal DHCP and DNS server, you can make that include a secondary hosts file ('addn-hosts') in which you map your ddns names straight to the internal server. |
|
| Back to top |
|
|
bbgermany
Veteran
Joined: 21 Feb 2005
Posts: 1844
Location: Oranienburg/Germany
|
| Posted: Mon Mar 27, 2017 5:29 am Post subject: |
|
|
| cboldt wrote: | Thanks for the details on network setup.
That suggested iptables setup above has a couple big mistakes in it. The "-d ${LAN}" parameter will throw an error.
"-d" is "destination IP [address] or network [address]" Your LAN is 192.168.0/24
"-i" is "interface [device]
Seeing as how you have two separate interface devices, the port opening firewall rules for gw1 (this is the only machine that has two interface devices) according to the example should be ...
| Code: | # basic rules for accessing the internet and the server from your lan
iptables -A INPUT -i ${LAN} -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i ${LAN} -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -j ACCPEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
# start allowing access to ssh/http from outside
iptables -A INPUT -i ${WAN} -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i ${WAN} -p tcp --dport 80 -m state --state NEW -j ACCEPT |
Those port rules assume you use port 22 for sshd, and also don't have an opening for https.
Also, gw1 is doing DNS for packets sent to IT (192.168.0.1), and is doing DHCP for the rest of the network, so it needs to open ports for those services to work. DNS queries are sent to port 53 of a definite single IP address (the nameserver machine), DHCP is a little more complicated, but opening ports 67 and 68 get the job done. DHCP is a little more complicated because the requesting machine, knowing ZERO about the network, broadcasts its request to 255.255.255.255.[/code] |
Darn, thank you, you're right. I have overseen this as i wrote it (notice to myself: only do one thing at the same time...) 
greets, bb
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB |
|
| Back to top |
|
|
|
Networking & Security
