Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Can't see domain name from within lan (webserver) [solved]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
padukes
Apprentice
Apprentice


Joined: 27 Feb 2003
Posts: 232
PostPosted: Thu Jan 27, 2005 3:30 am    Post subject: Can't see domain name from within lan (webserver) [solved] Reply with quote
Hey All,

I have a domain name which points to my NAT box which forwards to my apache box. If I'm outside my lan and I use my domain name (www.x.com ) everything works fine. However, if I am on the lan the domain name does not work. I can successfully ping the domain name with no problem from within the lan.

Any ideas?
Thanks,
P

Last edited by padukes on Thu Jan 27, 2005 7:36 pm; edited 1 time in total
Back to top
View user's profile Send private message
moocha
Watchman
Watchman


Joined: 21 Oct 2003
Posts: 5722
PostPosted: Thu Jan 27, 2005 5:01 am    Post subject: Reply with quote
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#DNATTARGET
Above-mentioned tutorial wrote:
You think this should be enough by now, and it really is, unless considering one final aspect to this whole scenario. What if the firewall itself tries to access the HTTP server, where will it go? As it looks now, it will unfortunately try to get to its own HTTP server, and not the server residing on $HTTP_IP. To get around this, we need to add a DNAT rule in the OUTPUT chain as well. Following the above example, this should look something like the following:

Code:
iptables -t nat -A OUTPUT --dst $INET_IP -p tcp --dport 80 -j DNAT \
--to-destination $HTTP_IP

_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto

"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin
Back to top
View user's profile Send private message
padukes
Apprentice
Apprentice


Joined: 27 Feb 2003
Posts: 232
PostPosted: Thu Jan 27, 2005 3:40 pm    Post subject: Reply with quote
Hey moocha,

Thanks for the link. I followed its advice and have a setup similar to:

Code:

$iptables -A PREROUTING -t nat -p tcp -d $ext_ip --dport 80 -j DNAT --to-destination $PHOENIX:80
$iptables -A OUTPUT -t nat -d $ext_ip -p tcp --dport 80 -j DNAT --to-destination $PHOENIX
$iptables -A POSTROUTING -t nat -d $PHOENIX -p tcp --dport 80 -o eth1 -j SNAT --to $ext_ip


This worked, but the problem with this (as described in the article) is that the third line makes the webserver believe that every request is coming from the NAT box's IP. This is unacceptable for logging. They suggest something about a DMZ but don't give any details.

Does anyone have any ideas?
Thanks,
P
Back to top
View user's profile Send private message
jbpros
Tux's lil' helper
Tux's lil' helper


Joined: 05 May 2004
Posts: 133
Location: Brussels, Belgium
PostPosted: Thu Jan 27, 2005 5:38 pm    Post subject: Reply with quote
There is a "clean" way to do that. If you are running your own internal DNS server you can add a zone for your internal nodes in which you make www.x.com point to the server IP address (instead of router public one).

This is the method I'm using on several networks and it works very well.
Back to top
View user's profile Send private message
padukes
Apprentice
Apprentice


Joined: 27 Feb 2003
Posts: 232
PostPosted: Thu Jan 27, 2005 6:29 pm    Post subject: Reply with quote
cool - unfortunately the closest I come to running my own dns server is dnsmasq - is there some magic I can do in a hosts file or routing table or something?

Thanks,
P
Back to top
View user's profile Send private message
Zuti
Tux's lil' helper
Tux's lil' helper


Joined: 09 Jul 2003
Posts: 123
Location: The Netherlands
PostPosted: Thu Jan 27, 2005 7:11 pm    Post subject: Reply with quote
would this do any good:

nano -w /etc/hosts

10.0.0.whatever www.x.com

(this works for me, but I'm on a single machine)
Back to top
View user's profile Send private message
padukes
Apprentice
Apprentice


Joined: 27 Feb 2003
Posts: 232
PostPosted: Thu Jan 27, 2005 7:36 pm    Post subject: Reply with quote
Thanks Zuti (and everyone)!

Here's what I did:

0. Setup iptables:
Code:

$iptables -A PREROUTING -t nat -p tcp -d $ext_ip --dport 80 -j DNAT --to-destination $PHOENIX:80

This line forwards outside connections to the internal web server. You'll probably also have to allow these packets to navigate the FORWARD chain in the main table. You don't *need* any other DNAT or SNAT lines.

1. Add the line that Zuti describes to the /etc/hosts file on the dnsmasq box (in my case it's the same as the NAT box). Make sure you spell the domain correctly ;-)

2. Restart dnsmasq (so it will re-read the /etc/hosts file)

Now anyone inside and outside the lan will be able to connect to the domain name.

One problem remains which is that internally I can only use www.x.com. If I wanted to use x.com or blah.x.com I have to add additional entries in the /etc/hosts file. Does anyone know if there's any way to deal with this?

Thanks again!
P
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy