| View previous topic :: View next topic |
| Author |
Message |
vayn2004
n00b
Joined: 23 Nov 2004
Posts: 23
Location: Indiana University
|
 Posted: Mon Jan 10, 2005 4:04 am Post subject: accessing external IP from internal network |
 |
|
OK, I have an iptables question.
I am running a webserver on my home network. I have it port forwarded to the internet on my firewall machine using iptables.
Now I am trying to run some blogging software on it, and use it on the machine that is hosting it on as well as from other locations via the internet.
My problem is that when I use it on the local machine, I get an error because it it trying to access itself from the my external IP.
My question is does anyone know if you can set iptables so that you can access your external IP from your internal network, kind of like a looopback, and if so, what would the rule look like? |
|
| Back to top |
|
 |
Ateo
Advocate
Joined: 02 Jun 2003
Posts: 2022
Location: Vegas Baby!
|
| Posted: Mon Jan 10, 2005 6:57 am Post subject: |
|
|
This can't be done. You'll need to add your webserver to your /etc/hosts file. The reason: a routers job (which is what ipchains does) is to route from one network to another network. A router cannot "route" within it's own network. In a nutshell, a network interface cannot send a packet out the same way it came in....
There's an RFC on that unless it's been changed in recent times. Check an RFC database. |
|
| Back to top |
|
|
robdd
Tux's lil' helper
Joined: 02 Jan 2005
Posts: 142
Location: Sydney Australia
|
| Posted: Mon Jan 10, 2005 11:10 am Post subject: |
|
|
Sorry if this is too obvious, but why don't you just set up the web server to serve on two ports, say, 80 and 8080. Forward port 80 through your firewall (I guess you've already done that). Then if you want to connect from the local machine put in the same URL, but add the port number on the end:
http://localwebserver/somedisplay.html:8080
I know this doesn't answer the iptables question, and I always find I have trouble configuring apache anyway - but at least it gets you going.
Regards,
_________________
Rob Diamond
Gentoo Hack, hack, hacker
Sydney, Australia |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Mon Jan 10, 2005 11:15 am Post subject: |
|
|
I can see why you have trouble configuring apache 
You must add the port after the hostname, and before any location information, like so:
http://myserver:8080/somedocument.html
Nothing else will work...
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Mon Jan 10, 2005 11:28 am Post subject: Re: accessing external IP from internal network |
|
|
| vayn2004 wrote: | | OK, I have an iptables question. |
Probably not, but read on...
| vayn2004 wrote: | | I am running a webserver on my home network. I have it port forwarded to the internet on my firewall machine using iptables. |
I think you mean you have forwarded port 80 from the Internet to your local nework.
| vayn2004 wrote: | | Now I am trying to run some blogging software on it, and use it on the machine that is hosting it on as well as from other locations via the internet. |
The blogging software ?
I suppose you mean you are trying to access it from those locations...
| vayn2004 wrote: | | My problem is that when I use it on the local machine, I get an error because it it trying to access itself from the my external IP. |
Well, actually, it is either one of two problems:
- you get an error saying that the host is unknown, or the address can't be found - an indication that you are trying to connect directly to an outside IP.
- or, you get an error from the blogging software (or apache) itself, saying that the hostname isn't correct.
These two problems are actually quite different.
To solve the first, you have to edit /etc/hosts and add the internal IP address as well - on every machine from which you intend to edit your blog.
If the error is from apache, you have to change the IP addresses on which apache listens, or if it is already listening on the local LAN, set up decent DNS internally to forward to that box on the correct hostname.
Easiest solution is to set up internal DNS, in my view - since it solves both problems, and any others you may encounter in the future...
| vayn2004 wrote: | | My question is does anyone know if you can set iptables so that you can access your external IP from your internal network, kind of like a looopback, and if so, what would the rule look like? |
No, this has nothing to do with iptables - as I already indicated
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1287
Location: 50N 3E
|
| Posted: Mon Jan 10, 2005 1:47 pm Post subject: |
|
|
| Ateo wrote: | This can't be done. You'll need to add your webserver to your /etc/hosts file. The reason: a routers job (which is what ipchains does) is to route from one network to another network. A router cannot "route" within it's own network. In a nutshell, a network interface cannot send a packet out the same way it came in....
There's an RFC on that unless it's been changed in recent times. Check an RFC database. |
Almost true. only iptables isn't a router, it's a FIREWALL. and you can do lots of stuff with that; including things which are "not allowed" for routers (changing payload etc)
I read somewhere how to do it, but can't find it right now. It boils down to:
DNAT incomming packets; SNAT incommings packets from INTERNAL-clients
That way both ends are happy |
|
| Back to top |
|
|
vayn2004
n00b
Joined: 23 Nov 2004
Posts: 23
Location: Indiana University
|
| Posted: Tue Jan 11, 2005 3:51 am Post subject: |
|
|
Actually none of what anyone has suggested will work for my configureation.
All of the blogging package scripts know itself by the IP which is my external IP since I don't have a domain name. It has to use that to work when I access it from the external world. That means there is no DNS...I'm not using any name.
My wording may be a bit technically erroronious but what I was asking for was accurate, which is if there is any way to access the site from the external world and my network via the same IP... my external IP. That s the only way it will work.
| Quote: | DNAT incomming packets; SNAT incommings packets from INTERNAL-clients
That way both ends are happy |
This is about the best lead I have to do what I need. I'll look into it, and if anyone can help me figure out this it would be a big help. |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1287
Location: 50N 3E
|
| Posted: Tue Jan 11, 2005 9:16 am Post subject: |
|
|
| vayn2004 wrote: | | Quote: | DNAT incomming packets; SNAT incommings packets from INTERNAL-clients
That way both ends are happy |
This is about the best lead I have to do what I need. I'll look into it, and if anyone can help me figure out this it would be a big help. |
try this (on the gateway) | Code: |
iptables -A FORWARD -d ext.er.nal.ip -p tcp --dport 80 -j DNAT --to-destination int.er.nal.ip
iptables -A FORWARD -d ext.er.nal.ip -i internalinterface -p tcp --dport 80 -j SNAT --to-source inter.nal.router.ip |
I think that should do it. |
|
| Back to top |
|
|
vayn2004
n00b
Joined: 23 Nov 2004
Posts: 23
Location: Indiana University
|
| Posted: Fri Jan 14, 2005 10:35 pm Post subject: |
|
|
So far I can't get this to work. I'm not sure I know how to adapt this to my firewall..
Here is the relavant section if my firewall srcipt:
| Code: |
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d $ISSHIP --dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d $ISSHIP --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d $IRDTIP --dport 3389 -j ACCEPT
echo " - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
#
$IPTABLES -A FORWARD -j drop-and-log-it
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 22 -j DNAT \--to-destination $ISSHIP
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 -j DNAT \--to-destination $ISSHIP
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 3389 -j DNAT \--to-destination $IRDTIP
|
Where:
$EXTIF is the NIC that has my internet IP
$INTIF is the NIC that connects to my network and has the IP address that is the gateway IP
$ISSHIP is the IP of my server that hosts my website and hass ssh access
$IRDTIP is the IP of my windows machine and has remote desktop access.
The computer that corresponds to $ISSHIP is the machine that I need to be able to access itself via the external IP.
Seems I already have that first statement. So I think that I just need the SNAT statement but I'm not sure how the variables resolve. |
|
| Back to top |
|
|
forbjok
Apprentice
Joined: 21 May 2004
Posts: 207
Location: Hordaland, Norge
|
| Posted: Sat Jan 15, 2005 12:47 am Post subject: |
|
|
Been there 
Check this out:
https://forums.gentoo.org/viewtopic.php?t=245680
The solution I posted there is not ideal, but it works.
A better solution may be to simply SNAT all packets destined for the external IP, coming from an internal interface.
Try this: (not tested personally.. almost 2AM here... so syntax may be wrong, but the basic idea should still be correct.)
| Code: | | iptables -t nat -A POSTROUTING -i internalinterface -d ext.er.nal.ip -j SNAT --to-source ext.er.nal.ip |
Good luck |
|
| Back to top |
|
|
|
Networking & Security
