| View previous topic :: View next topic |
| Author |
Message |
thetroyv
Apprentice
Joined: 04 Sep 2005
Posts: 159
Location: new england
|
 Posted: Sat Feb 25, 2006 2:34 am Post subject: cant see hosted website inside network |
 |
|
hi there
im running a linux gateway with iptables and dhcp, and behind that a linux webserver running apache.
it seems everythings working except if you hit my website outside of the lan, no go; outside the lan and it works.
i also plan to set up qmail so i want to make sure everythings working.
my current iptables commands are
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 24.229.138.220 --dport 80 -j DNAT --to 192.168.0.254:80
echo 1 > /proc/sys/net/ipv4/ip_forward
any idea why i cant hit [url]24.229.138.220[/url] inside my lan?
could this interfere when i install a mail server and things like movable type?
maybe this has to do with entries in /etc/hosts?
any help would be great
troy |
|
| Back to top |
|
 |
ectospasm
l33t
Joined: 19 Feb 2003
Posts: 711
Location: Mobile, AL, USA
|
| Posted: Sat Feb 25, 2006 5:16 am Post subject: |
|
|
I've seen this before, and I couldn't figure out how to solve it (at least, when I tried to hit the external IP from within the LAN). The only workaround I found was to access the server from within the LAN by using its internal LAN address. So in your case point your internal LAN browser to 192.168.0.254 instead of your external IP address. It should work otherwise the same. Now, if you were to use hostnames it gets trickier since at your DNS (or DNS proxy) you have to tell all internal LAN requests for that specific host to hit the internal IP address of the server.
_________________
Join the adopt an unanswered post initiative today
Join the EFF!
Join the Drug Policy Alliance! |
|
| Back to top |
|
|
pteppic
l33t
Joined: 28 Nov 2005
Posts: 781
|
| Posted: Sat Feb 25, 2006 7:25 am Post subject: |
|
|
I have the same problem, only magnified as I have name based virtual servers running, so internal access via a servers lan ip is next to useless.
I got round it by running bind to resolve my real hostname to a local address, I even have the mailserver set up to a different address, with the added bonus of a dns cache, but /etc/hosts entries worked just as well, I just got bored adding them.
I would have expected your iptables DNAT rule to work though, but obviously it doesn't, try it additionally as -d 127.0.0.1 or the lan address of the firewall., I can't help but think that it's decided to resolve to the firewall machine before iptables sees the true destination.Tcpdump is your friend here. |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Sun Feb 26, 2006 1:12 am Post subject: |
|
|
The problem is the prerouting DNAT rule. It will work fine for the external interface (WAN) but will cause problems for clients from the LAN. This is because the LAN client will send off the packets to 24.x.x.x but then the server gets them, sees them and replies, but the client machine gets confused. It talks to 24.x.x.x and gets replies from 192.168.0.254 and can't connect them.
The simplest thing I can come up with would be a third NIC and hang the server off that. Stick it on a different IP subnet. |
|
| Back to top |
|
|
ectospasm
l33t
Joined: 19 Feb 2003
Posts: 711
Location: Mobile, AL, USA
|
| Posted: Sun Feb 26, 2006 1:33 am Post subject: |
|
|
| magic919 wrote: | | The simplest thing I can come up with would be a third NIC and hang the server off that. Stick it on a different IP subnet. |
That's what you're supposed to do anyway; it's called a DMZ (De-Militarized Zone)... Outsiders can get to the DMZ, but they shouldn't get to your LAN. It's more work to setup, however, so a lot of people don't do it.
_________________
Join the adopt an unanswered post initiative today
Join the EFF!
Join the Drug Policy Alliance! |
|
| Back to top |
|
|
thetroyv
Apprentice
Joined: 04 Sep 2005
Posts: 159
Location: new england
|
| Posted: Sun Feb 26, 2006 1:38 am Post subject: |
|
|
hmm well i already tried hitting the lan ip of the machine and it worked...
if no one has a solution, (i dont feel like putting a third nic in there  ) how
should i set up my mailserver and movable type and stuff? i dont know all that much about mailservers,
so i need some help here.
could somebody give me the requirements to get the mail server working?
(like what do i put in when it says server address: my external ip? my lan ip?)
thanks for helping me learn  |
|
| Back to top |
|
|
thetroyv
Apprentice
Joined: 04 Sep 2005
Posts: 159
Location: new england
|
| Posted: Sun Feb 26, 2006 10:53 pm Post subject: |
|
|
| anybody? |
|
| Back to top |
|
|
ectospasm
l33t
Joined: 19 Feb 2003
Posts: 711
Location: Mobile, AL, USA
|
| Posted: Mon Feb 27, 2006 4:09 am Post subject: |
|
|
| thetroyv wrote: | how
should i set up my mailserver and movable type and stuff? i dont know all that much about mailservers,
so i need some help here.
could somebody give me the requirements to get the mail server working?
(like what do i put in when it says server address: my external ip? my lan ip?)
thanks for helping me learn :D |
All of this depends directly on which mail server you have chosen to use. Are you using postfix? sendmail? qmail? something else?
_________________
Join the adopt an unanswered post initiative today
Join the EFF!
Join the Drug Policy Alliance! |
|
| Back to top |
|
|
thetroyv
Apprentice
Joined: 04 Sep 2005
Posts: 159
Location: new england
|
| Posted: Mon Feb 27, 2006 2:32 pm Post subject: |
|
|
postfix
basically could someone give me a sample of how i should configure one of my
conf files?
that would be great |
|
| Back to top |
|
|
ectospasm
l33t
Joined: 19 Feb 2003
Posts: 711
Location: Mobile, AL, USA
|
| Posted: Mon Feb 27, 2006 3:52 pm Post subject: |
|
|
If you dig around on the Postfix site I linked to, and look at the Postfix wiki (linked from the main Postfix site), you should be able to find a solution that works for you. We can't do your research for you. And it won't hurt to try something; if it doesn't work, try something else. That's the way it goes.
_________________
Join the adopt an unanswered post initiative today
Join the EFF!
Join the Drug Policy Alliance! |
|
| Back to top |
|
|
thetroyv
Apprentice
Joined: 04 Sep 2005
Posts: 159
Location: new england
|
| Posted: Mon Feb 27, 2006 11:15 pm Post subject: |
|
|
alright thanks
i thought mail servers were pretty picky so you should get it
right the fist time, but ill try some things.
and i thought if anybody had the same problem, they could
just tell me what they did, not like research it for me.
thanks for the help ! |
|
| Back to top |
|
|
ectospasm
l33t
Joined: 19 Feb 2003
Posts: 711
Location: Mobile, AL, USA
|
| Posted: Mon Feb 27, 2006 11:55 pm Post subject: |
|
|
| thetroyv wrote: | alright thanks
i thought mail servers were pretty picky so you should get it
right the fist time, but ill try some things. |
ALL of the mail servers suggest you get the bare bones functionality working first, and configure/add functionality as you go. Trying to do too much at one time will lead you to a non-working server, and you'll have no clue where to go to fix it. Baby steps are your friend.
_________________
Join the adopt an unanswered post initiative today
Join the EFF!
Join the Drug Policy Alliance! |
|
| Back to top |
|
|
|
Networking & Security
