Linux router question...please help!

[etonic]

Hi,

I have a linux router and I run a web server behind it as well as use the NAT-ing for web surfing from behind the firewall.
The web server is accessible on port 80 through the linux router/NAT from Internet only. I cannot access it from the local LAN. I can only access it if I go directly to the server's IP address.
I can't figure out what would be the rule in my IPTABLES to forward or redirect traffic incomming from 192.168.1.0/0 to the external interface and back to my 192.168.1.x which is my web server.
I know I could set my host file to do that on all my workstations but I would rather not.
Thank you

 

[thedaver]

....and your firewall ruleset says what now.......?

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[etonic]

Hi,

Here's what is relevant. I hope this helps. Thanks


-A PREROUTING -d EXTERNALIP -i eth3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.115:80
-A POSTROUTING -o eth3 -j MASQUERADE
-A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 192.168.1.0/255.255.255.0 -j ACCEPT
-A FORWARD -s ! 192.168.1.0/255.255.255.0 -j DROP

 

[zeland]

Why would local LAN traffic go out through your router and back in again? Wiring schematics would be good too. The only thing that comes to mind is that your web server is configured (iptables) to only accept traffic from your router and nothing else.

--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

 

[QatQat]

It sounds like a DNS problem. Try accessing the web server directly with its ip address.
If your clients' gateway is set to the linux router, and your iptables policies are set to DROP, then you will go through the router for every DNS request, unless you have an internal DNS authority that tells your client to look for a class C address (which you seem to be using)

Solution is to create master zone in Named.conf for your internal network and make sure than DNS requests for the web server, when coming from inside the LAN, are redirected to the web server's LAN address.


QatQat



If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!

 

[etonic]

First of all I want to thank everyone who replied.

Let me clarify a couple of things first:
I have a domain name that is pointing to my external IP address. I am running my own DNS server. My web server does NOT run iptables or any type of firewall and it is directly accessible via it's IP address without any problems from the internal LAN of course. The web server is accessible through the router from the Internet like I mentioned before.
Now, when I access the server from my local lan and try to go the

http://www.mywebsite.com

the request goes to my DNS server which replies with my EXTERNAL IP address (which is normal) and that should be routed to my internal IP of my server instead (transparently).
What I need here is the one iptables line that would take incoming requests to A.B.C.D (my external IP) coming from my local lan 192.168.1.0/24 and forward them to my web server's internal IP address 192.168.1.115.

I really know what I'm doing, I just can't figure out this one part. What I need here is an expert input.

Any help is welcomed!

Thanks you all!

 

[zeland]

Your own DNS server serving your own internal clients should return INTERNAL ADDRESSES for INTERNAL MACHINES. This brings about the question whether your DNS server is configured as a FORWARDER or a MASTER? QatQat's may have hit the nail on the head on this one.

--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

 

[QatQat]

Yup, now I am sure.

You have to create your internal zone file that points your clients to the INTERNAL address when querying the web server from inside.

so what you can do is the following

edit /var/named/chroot/etc/named.conf

add an entry for your internal zone

zone "mywebsite.com" IN {
        type master;
        file "mywebsite.com.zone";
        allow-update { none; };
};

create a zone file in /var/named/chroot/var/named called mywebsite.com.zone similar to this one

$TTL    86400
@       IN      SOA     linuxserver.mywebsite.com. root.linuxserver.mywebsite.com. (
                        2007040128
                        3H
                        5M
                        1W
                        1M )

@       IN      NS      linuxDNSserver.mywebsite.com.

@       IN      A       your.linux.DNS.server.IPAddress





www     IN      CNAME   realname.mywebsite.com.





realname  IN      A       192.168.1.115

make sure that you edit realname with the real name of your webserver and you put its INTERNAL ipaddress where I indicated.

You then reconfigure clients to send DNS queries to the new DNS server and you should be OK.

Cheers

QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!

 

[etonic]

Hi everybody. Thanks again for all the input.
I would much rather go with a router solution (forward or redirection) than a DNS one. I run several subdomains and the DNS solution is just not what I am looking for.

If anyone out there knows the iptables solution to this, I would appreciate any reply.

Thanks again to all!

 

[QatQat]

The DNS road is the correct one; shortcuts are not very wise when involving a firewall. Anyway, a few considerations on your preferred Iptables route.

What you are asking is either to query, from an internal IP address, your web server's external address, to then go out from your gateway and get back in, or to make sure that when querying port 80 on your external webserver's address, the client be redirected to an internal address.

The latter one requires you to have IP-forward enabled otherwise your external ip address will not be visible on the router's internal interface.

assuming that your internal interface is eth0 and external is eth1 and your external ipaddr is 196.xxx.xxx.xxx and your webserver's internal address is 192.168.1.115 you can try the following (but I am not sure it works)

iptables -A PREROUTING -i eth0 -d 196.xxx.xxx.xxx -p tcp --dport 80 -j DNAT --to-destination 192.168.1.115:80

according to your forward policy you may or may not need the following

iptables -A FORWARD -i eth0 -d 196.xxx.xxx.xxx -p tcp --dport 80 -j ACCEPT

It is not very orthodox to do this and here are a few drawbacks:

First of all, it will only work if you are using a Static external IP address. Second I have doubts about host headers working correctly on your web server. Which means that you may only be allowed to view the default website on your web server.
Finally, you may probably need to prevent your firewall from masquerading, which is not very safe at all. It all depends on whether you have specified an interface or not in your postrouting MASQUERADE line.

The other option, to just allow traffic going out and back in again to query a server that is sitting on your network, is bandwidth inefficient and, on a sound iptables setup, it is not allowed to prevent all sort of spoofing attempts.


Try the forst solution out but I repeat, setting up an internal DNS server is no big issue and it is way more elegant solution.




QatQat



If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!