LAN Port forwarding with a dynamic IP address

LAN Port forwarding with a dynamic IP address

[Zac Hansen]

I have a single, dynamic IP address. I have multiple boxes behind a linux
router, one of which runs a web server on port 80. I have set up rules (a
PREROUTING and a FORWARD rule) to let people outside my LAN deal see my web
server. The problem is that the boxes on my LAN can't see them.

I really don't want to hardcode my external IP address into any rules and I
don't want to do any DNS work to make the LAN boxes look up the actual
server's LAN IP address directly.

Can I get my LAN boxes to see my web site and not do the things I don't want
to do?

Thanks.

--Zac

RE: LAN Port forwarding with a dynamic IP address

[Derick Anderson]

 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Zac Hansen
> Sent: Friday, October 21, 2005 7:00 AM
> To: netfilter@lists.netfilter.org
> Subject: LAN Port forwarding with a dynamic IP address
> 
> I have a single, dynamic IP address. I have multiple boxes 
> behind a linux router, one of which runs a web server on port 
> 80. I have set up rules (a PREROUTING and a FORWARD rule) to 
> let people outside my LAN deal see my web server. The problem 
> is that the boxes on my LAN can't see them.
> 
> I really don't want to hardcode my external IP address into 
> any rules and I don't want to do any DNS work to make the LAN 
> boxes look up the actual server's LAN IP address directly.
> 
> Can I get my LAN boxes to see my web site and not do the 
> things I don't want to do?
> 
> Thanks.
> 
> --Zac

Your internal boxes will never see the website unless you add internal
DNS, do something extremely complicated with scripts and routing and
mangling of packets, or go with a three-legged setup. The reason for
this is that without manipulation, a router will never send a packet
*out* through the same interface it came *in* on. 

What you want is for your internal LAN boxes to send a packet destined
to your dynamic external IP to your firewall's LAN interface and for
your firewall to say, "Hey, that server is actually <internal IP>! Let's
bounce this packet there!" after which it would mangle the destination
IP to be the internal IP and send it back. Also, you have to convince
the kernel's routing functions to take a packet which has nothing to do
with that machine and send it on to your internal webserver for every
request since your internal LAN boxes will always believe the web server
is at the external IP.

I'm sure it can be done, but internal DNS is much easier, believe me.

Derick Anderson

Re: LAN Port forwarding with a dynamic IP address

[George Alexandru Dragoi]

Do a SNAT on the LAN interface for packets that goes to the private ip of
webserver with source ip $LAN/$MASK. Something like:
 lan=eth1
ipl=192.168.0.1 <http://192.168.0.1>
web=192.168.0.10 <http://192.168.0.10>
net=192.168.0.0/24 <http://192.168.0.0/24>
 iptables -t nat -A POSTROUTING -o $lan -p tcp --dport 80 -d $web -s $net -j
SNAT --to $ipl
 And a router will send packets wherever routing table says. Only rp_filter
can drop some of them (not in your case).

 On 10/21/05, Derick Anderson <danderson@vikus.com> wrote:
>
>
>
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org
> > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Zac Hansen
> > Sent: Friday, October 21, 2005 7:00 AM
> > To: netfilter@lists.netfilter.org
> > Subject: LAN Port forwarding with a dynamic IP address
> >
> > I have a single, dynamic IP address. I have multiple boxes
> > behind a linux router, one of which runs a web server on port
> > 80. I have set up rules (a PREROUTING and a FORWARD rule) to
> > let people outside my LAN deal see my web server. The problem
> > is that the boxes on my LAN can't see them.
> >
> > I really don't want to hardcode my external IP address into
> > any rules and I don't want to do any DNS work to make the LAN
> > boxes look up the actual server's LAN IP address directly.
> >
> > Can I get my LAN boxes to see my web site and not do the
> > things I don't want to do?
> >
> > Thanks.
> >
> > --Zac
>
> Your internal boxes will never see the website unless you add internal
> DNS, do something extremely complicated with scripts and routing and
> mangling of packets, or go with a three-legged setup. The reason for
> this is that without manipulation, a router will never send a packet
> *out* through the same interface it came *in* on.
>
> What you want is for your internal LAN boxes to send a packet destined
> to your dynamic external IP to your firewall's LAN interface and for
> your firewall to say, "Hey, that server is actually <internal IP>! Let's
> bounce this packet there!" after which it would mangle the destination
> IP to be the internal IP and send it back. Also, you have to convince
> the kernel's routing functions to take a packet which has nothing to do
> with that machine and send it on to your internal webserver for every
> request since your internal LAN boxes will always believe the web server
> is at the external IP.
>
> I'm sure it can be done, but internal DNS is much easier, believe me.
>
> Derick Anderson
>
>


--
Bla bla

Re: LAN Port forwarding with a dynamic IP address

[Grant Taylor]

Zac Hansen wrote:
> I have a single, dynamic IP address. I have multiple boxes behind a linux
> router, one of which runs a web server on port 80. I have set up rules (a
> PREROUTING and a FORWARD rule) to let people outside my LAN deal see my web
> server. The problem is that the boxes on my LAN can't see them.
> 
> I really don't want to hardcode my external IP address into any rules and I
> don't want to do any DNS work to make the LAN boxes look up the actual
> server's LAN IP address directly.
> 
> Can I get my LAN boxes to see my web site and not do the things I don't want
> to do?

You might be able to use one of the Layer 7 filters to match the traffic that is actually destined for your server via the HTTP get line but I think this would be after the connection is made.

The other option that comes to mind would be to set up some sort of proxy (Squid in reverse proxy mode) server that your clients or the world would issue the request to and have it handle the routing of sending the request to the box that is really servicing the request.



Grant. . . .