* LAN Port forwarding with a dynamic IP address
@ 2005-10-21 11:00 Zac Hansen
2005-10-23 5:19 ` Grant Taylor
0 siblings, 1 reply; 4+ messages in thread
From: Zac Hansen @ 2005-10-21 11:00 UTC (permalink / raw)
To: netfilter
I have a single, dynamic IP address. I have multiple boxes behind a linux
router, one of which runs a web server on port 80. I have set up rules (a
PREROUTING and a FORWARD rule) to let people outside my LAN deal see my web
server. The problem is that the boxes on my LAN can't see them.
I really don't want to hardcode my external IP address into any rules and I
don't want to do any DNS work to make the LAN boxes look up the actual
server's LAN IP address directly.
Can I get my LAN boxes to see my web site and not do the things I don't want
to do?
Thanks.
--Zac
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: LAN Port forwarding with a dynamic IP address
2005-10-21 11:00 LAN Port forwarding with a dynamic IP address Zac Hansen
@ 2005-10-23 5:19 ` Grant Taylor
0 siblings, 0 replies; 4+ messages in thread
From: Grant Taylor @ 2005-10-23 5:19 UTC (permalink / raw)
To: Zac Hansen; +Cc: netfilter
Zac Hansen wrote:
> I have a single, dynamic IP address. I have multiple boxes behind a linux
> router, one of which runs a web server on port 80. I have set up rules (a
> PREROUTING and a FORWARD rule) to let people outside my LAN deal see my web
> server. The problem is that the boxes on my LAN can't see them.
>
> I really don't want to hardcode my external IP address into any rules and I
> don't want to do any DNS work to make the LAN boxes look up the actual
> server's LAN IP address directly.
>
> Can I get my LAN boxes to see my web site and not do the things I don't want
> to do?
You might be able to use one of the Layer 7 filters to match the traffic that is actually destined for your server via the HTTP get line but I think this would be after the connection is made.
The other option that comes to mind would be to set up some sort of proxy (Squid in reverse proxy mode) server that your clients or the world would issue the request to and have it handle the routing of sending the request to the box that is really servicing the request.
Grant. . . .
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: LAN Port forwarding with a dynamic IP address
@ 2005-10-21 12:40 Derick Anderson
2005-10-22 9:02 ` George Alexandru Dragoi
0 siblings, 1 reply; 4+ messages in thread
From: Derick Anderson @ 2005-10-21 12:40 UTC (permalink / raw)
To: Zac Hansen, netfilter
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Zac Hansen
> Sent: Friday, October 21, 2005 7:00 AM
> To: netfilter@lists.netfilter.org
> Subject: LAN Port forwarding with a dynamic IP address
>
> I have a single, dynamic IP address. I have multiple boxes
> behind a linux router, one of which runs a web server on port
> 80. I have set up rules (a PREROUTING and a FORWARD rule) to
> let people outside my LAN deal see my web server. The problem
> is that the boxes on my LAN can't see them.
>
> I really don't want to hardcode my external IP address into
> any rules and I don't want to do any DNS work to make the LAN
> boxes look up the actual server's LAN IP address directly.
>
> Can I get my LAN boxes to see my web site and not do the
> things I don't want to do?
>
> Thanks.
>
> --Zac
Your internal boxes will never see the website unless you add internal
DNS, do something extremely complicated with scripts and routing and
mangling of packets, or go with a three-legged setup. The reason for
this is that without manipulation, a router will never send a packet
*out* through the same interface it came *in* on.
What you want is for your internal LAN boxes to send a packet destined
to your dynamic external IP to your firewall's LAN interface and for
your firewall to say, "Hey, that server is actually <internal IP>! Let's
bounce this packet there!" after which it would mangle the destination
IP to be the internal IP and send it back. Also, you have to convince
the kernel's routing functions to take a packet which has nothing to do
with that machine and send it on to your internal webserver for every
request since your internal LAN boxes will always believe the web server
is at the external IP.
I'm sure it can be done, but internal DNS is much easier, believe me.
Derick Anderson
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: LAN Port forwarding with a dynamic IP address
2005-10-21 12:40 Derick Anderson
@ 2005-10-22 9:02 ` George Alexandru Dragoi
0 siblings, 0 replies; 4+ messages in thread
From: George Alexandru Dragoi @ 2005-10-22 9:02 UTC (permalink / raw)
To: Derick Anderson; +Cc: netfilter
Do a SNAT on the LAN interface for packets that goes to the private ip of
webserver with source ip $LAN/$MASK. Something like:
lan=eth1
ipl=192.168.0.1 <http://192.168.0.1>
web=192.168.0.10 <http://192.168.0.10>
net=192.168.0.0/24 <http://192.168.0.0/24>
iptables -t nat -A POSTROUTING -o $lan -p tcp --dport 80 -d $web -s $net -j
SNAT --to $ipl
And a router will send packets wherever routing table says. Only rp_filter
can drop some of them (not in your case).
On 10/21/05, Derick Anderson <danderson@vikus.com> wrote:
>
>
>
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org
> > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Zac Hansen
> > Sent: Friday, October 21, 2005 7:00 AM
> > To: netfilter@lists.netfilter.org
> > Subject: LAN Port forwarding with a dynamic IP address
> >
> > I have a single, dynamic IP address. I have multiple boxes
> > behind a linux router, one of which runs a web server on port
> > 80. I have set up rules (a PREROUTING and a FORWARD rule) to
> > let people outside my LAN deal see my web server. The problem
> > is that the boxes on my LAN can't see them.
> >
> > I really don't want to hardcode my external IP address into
> > any rules and I don't want to do any DNS work to make the LAN
> > boxes look up the actual server's LAN IP address directly.
> >
> > Can I get my LAN boxes to see my web site and not do the
> > things I don't want to do?
> >
> > Thanks.
> >
> > --Zac
>
> Your internal boxes will never see the website unless you add internal
> DNS, do something extremely complicated with scripts and routing and
> mangling of packets, or go with a three-legged setup. The reason for
> this is that without manipulation, a router will never send a packet
> *out* through the same interface it came *in* on.
>
> What you want is for your internal LAN boxes to send a packet destined
> to your dynamic external IP to your firewall's LAN interface and for
> your firewall to say, "Hey, that server is actually <internal IP>! Let's
> bounce this packet there!" after which it would mangle the destination
> IP to be the internal IP and send it back. Also, you have to convince
> the kernel's routing functions to take a packet which has nothing to do
> with that machine and send it on to your internal webserver for every
> request since your internal LAN boxes will always believe the web server
> is at the external IP.
>
> I'm sure it can be done, but internal DNS is much easier, believe me.
>
> Derick Anderson
>
>
--
Bla bla
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-10-23 5:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-10-21 11:00 LAN Port forwarding with a dynamic IP address Zac Hansen
2005-10-23 5:19 ` Grant Taylor
-- strict thread matches above, loose matches on Subject: below --
2005-10-21 12:40 Derick Anderson
2005-10-22 9:02 ` George Alexandru Dragoi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.