Can't get access to local servers using external IP

Can't get access to local servers using external IP

[Patrick Cummings]

Hi,
I've already posted this but it looks like it has been deleted or somehow 
was not sent.

I have setup a linux router for my network. Everything works well except one 
thing.
It has three network connections. One is the Internet, another is a bridge 
of network cards that is the LAN and the last one is a separate network used 
as a SAN.

The problem is that I can't access the local servers with the external 
Internet IP.
This worked before when I had my POS linksys router that I smashed into 
pieces after the linux router was setup because I hated it.
This creates some problems. For example, if I host something on my local 
webserver (192.168.0.2) and somebody links to it from a webpage on an 
external server and I click on it I can't get access. However it would work 
if I was not a the LAN. So if I replace the IP address in the link with the 
one of my LAN it will work. However that's a real mess, if there is a page 
with like 50 pictures the 50 pictures will load for everybody except the 
ones that are on the lan except if they were to click on each picture 
manually and edit the adress so that it contains the LAN IP.
Also I always need to log remotely to an outside computer to test if 
services are accessible with the internet IP.

If it can help, here are the scripts I use to configure IPtables:
(they are extremely hard to read....sorry)
http://etherealnet.servehttp.com/patrick/iptables-start
http://etherealnet.servehttp.com/patrick/iptables-start.conf

http://etherealnet.servehttp.com/patrick/ifconfig

I run Debian GNU/Linux with 2.6.8 kernel.
I wish there is a quick way to fix this since my previous crappy router did 
it so well.

Re: Can't get access to local servers using external IP

[Martijn Lievaart]

Patrick Cummings wrote:

> Hi,
> I've already posted this but it looks like it has been deleted or 
> somehow was not sent.
>
> I have setup a linux router for my network. Everything works well 
> except one thing.
> It has three network connections. One is the Internet, another is a 
> bridge of network cards that is the LAN and the last one is a separate 
> network used as a SAN.
>
> The problem is that I can't access the local servers with the external 
> Internet IP.
> This worked before when I had my POS linksys router that I smashed 
> into pieces after the linux router was setup because I hated it.
> This creates some problems. For example, if I host something on my 
> local webserver (192.168.0.2) and somebody links to it from a webpage 
> on an external server and I click on it I can't get access. However it 
> would work if I was not a the LAN. So if I replace the IP address in 
> the link with the one of my LAN it will work. However that's a real 
> mess, if there is a page with like 50 pictures the 50 pictures will 
> load for everybody except the ones that are on the lan except if they 
> were to click on each picture manually and edit the adress so that it 
> contains the LAN IP.
> Also I always need to log remotely to an outside computer to test if 
> services are accessible with the internet IP.
>

Your workstation sends a packet to $public_ip, which gets DNATted to 
192.168.0.2. The webservers sees a packet from $workstation so responds 
there. That return packet never traverses the firewall again, as 
$workstation is on the same local subnet. Your workstation is expecting 
a reply from $public_ip, so it ignores the return packet from 192.168.0.2.

There are several ways you can make this work.

1) When packets from $local_lan arrive destined for the webserver, not 
only DNAT them, but SNAT them as well to an ip of the firewall. The 
disadvantage is that the webserverlogs will not acurately report the 
source address for these connections. This is probably what the linksys did.

2) Set up a DMZ, put the webserver in the DMZ. You need another nic in 
the firewall, but it is a very clean solution.

3) Fake a DMZ, don't put another nic in the server but configure two 
network segments on the same phyisical LAN. Dirty. Don't go there unless 
you understand perfectly what it does.

4) Use mod_proxy on the firewall instead of DNAT. I do this all the time 
and it works perfectly. As an added advantage, you can map multiple 
(probably internal) webservers to different paths on your public webserver.

5) Use DNAT on your workstation to translate $public_ip to 192.168.0.2 
(for port 80 and 443). Obviously this doesn't scale, but may be the 
simplest solution.

6) Probably lots of other solutions I didn't think about.

HTH,
M4

Re: Can't get access to local servers using external IP

[Patrick Cummings]

>Your workstation sends a packet to $public_ip, which gets DNATted to 
>192.168.0.2. The webservers sees a packet from $workstation so responds 
>there. That return packet never traverses the firewall again, as 
>$workstation is on the same local subnet. Your workstation is expecting a 
>reply from $public_ip, so it ignores the return packet from 192.168.0.2.
>
>There are several ways you can make this work.
>
>1) When packets from $local_lan arrive destined for the webserver, not only 
>DNAT them, but SNAT them as well to an ip of the firewall. The disadvantage 
>is that the webserverlogs will not acurately report the source address for 
>these connections. This is probably what the linksys did.
>
>2) Set up a DMZ, put the webserver in the DMZ. You need another nic in the 
>firewall, but it is a very clean solution.
>
>3) Fake a DMZ, don't put another nic in the server but configure two 
>network segments on the same phyisical LAN. Dirty. Don't go there unless 
>you understand perfectly what it does.
>
>4) Use mod_proxy on the firewall instead of DNAT. I do this all the time 
>and it works perfectly. As an added advantage, you can map multiple 
>(probably internal) webservers to different paths on your public webserver.
>
>5) Use DNAT on your workstation to translate $public_ip to 192.168.0.2 (for 
>port 80 and 443). Obviously this doesn't scale, but may be the simplest 
>solution.
>
>6) Probably lots of other solutions I didn't think about.
>
>HTH,
>M4

wow thanks a lot that makes perfect sense. I'm for sure going to do #1, as 
it seems the most secure and scalable. Thanks for your time really

Re: Can't get access to local servers using external IP

[Pascal Hambourg]

Hello,

Martijn Lievaart a écrit :
> 
> There are several ways you can make this work.
> 
> 1) When packets from $local_lan arrive destined for the webserver, not 
> only DNAT them, but SNAT them as well to an ip of the firewall. The 
> disadvantage is that the webserverlogs will not acurately report the 
> source address for these connections. This is probably what the linksys 
> did.

Hint : using NETMAP to do the source NAT, you can do a 1:1 mapping so 
you can retrieve the original source address.

[...]
> 6) Probably lots of other solutions I didn't think about.

If you access the server by name instead of by IP address :

7) Put the private address and the name in the /etc/hosts file of your 
workstations. Quick and dirty, does not scale.

8) Set up a "split DNS" server so the internal requests receive the 
private address and the external request receive the public address.

Re: Can't get access to local servers using external IP

[Martijn Lievaart]

Pascal Hambourg wrote:

> Hello,
>
> Martijn Lievaart a écrit :
>
>>
>> There are several ways you can make this work.
>>
>> 1) When packets from $local_lan arrive destined for the webserver,
>> not only DNAT them, but SNAT them as well to an ip of the firewall.
>> The disadvantage is that the webserverlogs will not acurately report
>> the source address for these connections. This is probably what the
>> linksys did.
>
>
> Hint : using NETMAP to do the source NAT, you can do a 1:1 mapping so
> you can retrieve the original source address.


I thought about this, but the documentation on NETMAP is actually pretty
bad, so I decided I would not advertise this route.

>
> [...]
>
>> 6) Probably lots of other solutions I didn't think about.
>
>
> If you access the server by name instead of by IP address :
>
> 7) Put the private address and the name in the /etc/hosts file of your
> workstations. Quick and dirty, does not scale.
>
> 8) Set up a "split DNS" server so the internal requests receive the
> private address and the external request receive the public address.
>

I do that too, it may actually be the best advice from this list. A
bitch to set up[1], but once it's working it works like a charm.

M4

[1] I don't exactly recall my troubles setting it up, it may have been
just my situation.

Re: Can't get access to local servers using external IP

[Pascal Hambourg]

Martijn Lievaart a écrit :
>
>> 8) Set up a "split DNS" server so the internal requests receive the 
>> private address and the external request receive the public address.
> 
> I do that too, it may actually be the best advice from this list.

Nooo, we're on a Netfilter/iptables list !

> A bitch to set up[1], but once it's working it works like a charm.

Well, it depends a lot on what you've got.

If you have your own Bind9 authoritative DNS server for the name, you 
must set up "views". May be heavy.

If you have a DNS relay running dnsmasq, you just need to put the name 
in the /etc/hosts file of the box running dnsmasq. Easy.