http acces

http acces

[skydive]

hi all

i have been experienced a problem since i'm trying to
access my web server from my lan through my internet ip.
 
i have no problems doing DNAT, from those who access my
web page form the outside:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80
-j DNAT --to 192.168.0.1:80

this is solving the problem

let's say my web page has the following address
www.example.org, and that it is host  [like it is ;)) ]
in one machine on my lan with the following IP:

192.168.0.1

when i write www.example.org on my web browser, it just
 hits eth1 on my gateway/firewall and stucks there.
maybe i'm missing something on my prerouting rules, or
maybe my small brain just can't reach it :)

the way i see it, when i put www.example.org on my web
browser, i send i request to my gateway, and it was
supposed to take it back to my lan, where the site is
hosted.

not working though...

can somebody please help with these missing rules?! or
is it just something else i'm missing?

thanks to those who took the time to ride all this
garbage and i'm greatfull even if you are not able to
help whatever your reason is ;)))

[][] * * *
skydive!

-------------------------------------------------
Email Enviado utilizando o serviço MegaMail

Re: http access - fixing DNAT port forwarding access from internal networks.

[Damien Mason]

you need an SNAT rule in there too.

iptables -t nat -A POSTROUTING -p tcp --dport $PORT -s 
$INTNETWORK/SUBNET -d $INTIPSERVER -j SNAT --to-source $INTIPFIREWALL

eg.
iptables -t nat -A POSTROUTING -p tcp --dport 80 -s 192.168.0.0/24 -d 
192.168.0.1 -j SNAT --to-source 192.168.0.254
(assuming .254 is your firewall and .1 is your webserver)


skydive wrote:

>hi all
>
>i have been experienced a problem since i'm trying to
>access my web server from my lan through my internet ip.
> 
>i have no problems doing DNAT, from those who access my
>web page form the outside:
>
>iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80
>-j DNAT --to 192.168.0.1:80
>
>this is solving the problem
>
>let's say my web page has the following address
>www.example.org, and that it is host  [like it is ;)) ]
>in one machine on my lan with the following IP:
>
>192.168.0.1
>
>when i write www.example.org on my web browser, it just
> hits eth1 on my gateway/firewall and stucks there.
>maybe i'm missing something on my prerouting rules, or
>maybe my small brain just can't reach it :)
>
>the way i see it, when i put www.example.org on my web
>browser, i send i request to my gateway, and it was
>supposed to take it back to my lan, where the site is
>hosted.
>
>not working though...
>
>can somebody please help with these missing rules?! or
>is it just something else i'm missing?
>
>thanks to those who took the time to ride all this
>garbage and i'm greatfull even if you are not able to
>help whatever your reason is ;)))
>
>[][] * * *
>skydive!
>
>-------------------------------------------------
>Email Enviado utilizando o serviço MegaMail
>
>
>  
>

-- 
Damien Mason
SuSE Systems Specialist

http://www.suse.net.au./
damien@suse.net.au

SuSE Linux Asia-Pacific Pty Ltd
Ph: +61 (2) 943 943 94
Fax:+61 (2) 9437 38 39

Re: http acces

[Antony Stone]

On Thursday 20 November 2003 9:47 pm, skydive wrote:

> hi all
>
> i have been experienced a problem since i'm trying to
> access my web server from my lan through my internet ip.
>
> i have no problems doing DNAT, from those who access my
> web page form the outside:
>
> iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80
> -j DNAT --to 192.168.0.1:80
>
> this is solving the problem
>
> let's say my web page has the following address
> www.example.org, and that it is host  [like it is ;)) ]
> in one machine on my lan with the following IP:
>
> 192.168.0.1
>
> when i write www.example.org on my web browser, it just
>  hits eth1 on my gateway/firewall and stucks there.
> maybe i'm missing something on my prerouting rules, or
> maybe my small brain just can't reach it :)

See if http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html 
answers your question.

Antony.

-- 

Having been asked to provide a reference for this man,
I can confidently state that you will be very lucky indeed
if you can get him to work for you.
                                                     Please reply to the list;
                                                           please don't CC me.

Re: http acces

[Josh Berry]

DNAT will not work in this method.  You should either be using internal
DNS or I believe that you could use the Redirect target to send and
information coming from your internal lan with a destination of
www.example.org and redirect it to your server.

> hi all
>
> i have been experienced a problem since i'm trying to
> access my web server from my lan through my internet ip.
>
> i have no problems doing DNAT, from those who access my
> web page form the outside:
>
> iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80
> -j DNAT --to 192.168.0.1:80
>
> this is solving the problem
>
> let's say my web page has the following address
> www.example.org, and that it is host  [like it is ;)) ]
> in one machine on my lan with the following IP:
>
> 192.168.0.1
>
> when i write www.example.org on my web browser, it just
>  hits eth1 on my gateway/firewall and stucks there.
> maybe i'm missing something on my prerouting rules, or
> maybe my small brain just can't reach it :)
>
> the way i see it, when i put www.example.org on my web
> browser, i send i request to my gateway, and it was
> supposed to take it back to my lan, where the site is
> hosted.
>
> not working though...
>
> can somebody please help with these missing rules?! or
> is it just something else i'm missing?
>
> thanks to those who took the time to ride all this
> garbage and i'm greatfull even if you are not able to
> help whatever your reason is ;)))
>
> [][] * * *
> skydive!
>
> -------------------------------------------------
> Email Enviado utilizando o serviço MegaMail
>
>
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry@linknet-solutions.com

Re: http acces

[skydive]

Cópia Antony Stone <Antony@Soft-Solutions.co.uk>:

> On Thursday 20 November 2003 9:47 pm, skydive
> wrote:
>
> > hi all
> >
> > i have been experienced a problem since i'm
> trying to
> > access my web server from my lan through my
> internet ip.
> >
> > i have no problems doing DNAT, from those who
> access my
> > web page form the outside:
> >
> > iptables -A PREROUTING -t nat -i eth0 -p tcp
> --dport 80
> > -j DNAT --to 192.168.0.1:80
> >
> > this is solving the problem
> >
> > let's say my web page has the following
> address
> > www.example.org, and that it is host  [like
> it is ;)) ]
> > in one machine on my lan with the following
> IP:
> >
> > 192.168.0.1
> >
> > when i write www.example.org on my web
> browser, it just
> >  hits eth1 on my gateway/firewall and stucks
> there.
> > maybe i'm missing something on my prerouting
> rules, or
> > maybe my small brain just can't reach it :)
>
> See if
> http://www.netfilter.org/documentation/HOWTO//NAT-
HOWTO-10.html
>
> answers your question.
>
> Antony.
>
> --
>
> Having been asked to provide a reference for
> this man,
> I can confidently state that you will be very
> lucky indeed
> if you can get him to work for you.
>                                                
>      Please reply to the list;
>                                                
>            please don't CC me.
>
> 



skydive!


Antony:


ok.. i got it to work just fine. although i need 3 
rules: 1 prerouting,1 forward, 1 postrouting! 
i'll be glad to help if i can!

danke !


[] ;)))

-------------------------------------------------
Email Enviado utilizando o serviço MegaMail

Re: http access - fixing DNAT port forwarding access from internal networks.

[skydive]

Damien:

first of all i'm glad i was clear enough so somebody 
could understand what my problem was!!
thank you for helping and i can say to you that it is 
working just fine, and i guess i'll do the same to my 
stmp server, so i can use absolute domain adresses, 
instead of using a lan domain to access pop and stmp 
server to send and receive mail ;))

thank very much for your time [][]


Cópia Damien Mason <damien@suse.net.au>:

you need an SNAT rule in there too.
>
> iptables -t nat -A POSTROUTING -p tcp --dport
> $PORT -s
> $INTNETWORK/SUBNET -d $INTIPSERVER -j SNAT
> --to-source $INTIPFIREWALL
>
> eg.
> iptables -t nat -A POSTROUTING -p tcp --dport
> 80 -s 192.168.0.0/24 -d
> 192.168.0.1 -j SNAT --to-source 192.168.0.254
> (assuming .254 is your firewall and .1 is your
> webserver)
>
>
> skydive wrote:
>
> >hi all
> >
> >i have been experienced a problem since i'm
> trying to
> >access my web server from my lan through my
> internet ip.
> >
> >i have no problems doing DNAT, from those who
> access my
> >web page form the outside:
> >
> >iptables -A PREROUTING -t nat -i eth0 -p tcp
> --dport 80
> >-j DNAT --to 192.168.0.1:80
> >
> >this is solving the problem
> >
> >let's say my web page has the following
> address
> >www.example.org, and that it is host  [like it
> is ;)) ]
> >in one machine on my lan with the following
> IP:
> >
> >192.168.0.1
> >
> >when i write www.example.org on my web
> browser, it just
> > hits eth1 on my gateway/firewall and stucks
> there.
> >maybe i'm missing something on my prerouting
> rules, or
> >maybe my small brain just can't reach it :)
> >
> >the way i see it, when i put www.example.org
> on my web
> >browser, i send i request to my gateway, and
> it was
> >supposed to take it back to my lan, where the
> site is
> >hosted.
> >
> >not working though...
> >
> >can somebody please help with these missing
> rules?! or
> >is it just something else i'm missing?
> >
> >thanks to those who took the time to ride all
> this
> >garbage and i'm greatfull even if you are not
> able to
> >help whatever your reason is ;)))
> >
> >[][] * * *
> >skydive!
> >
> >-------------------------------------------------
> >Email Enviado utilizando o serviço MegaMail
> >
> >
> >
> >
>
> --
> Damien Mason
> SuSE Systems Specialist
>
> http://www.suse.net.au./
> damien@suse.net.au
>
> SuSE Linux Asia-Pacific Pty Ltd
> Ph: +61 (2) 943 943 94
> Fax:+61 (2) 9437 38 39
>
>
>
> 



skydive!

-------------------------------------------------
Email Enviado utilizando o serviço MegaMail

Re: http acces

[Antony Stone]

On Friday 21 November 2003 10:47 am, skydive wrote:

> Cópia Antony Stone <Antony@Soft-Solutions.co.uk>:

> > See if
> > http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html
> > answers your question.
> >
> > Antony.

> ok.. i got it to work just fine. although i need 3
> rules: 1 prerouting,1 forward, 1 postrouting!

Indeed.   NAT rules between machines on a single network are always a bit 
messy, and have the possibly undesirable side-effect that the server thinks 
all the connections are coming from the Firewall - although if this doesn't 
matter, then things work fine once you've worked out that packets have to be 
NATted in both directions between client and server.

> danke !

Bitte :)

Antony.

-- 

Wanted: telepath.   You know where to apply.

                                                     Please reply to the list;
                                                           please don't CC me.