|
after port forwarding to web server, lan user cant access by typing www via browser
Hi All,
please help on this. billion thanks. here is my case [wan_ip:2.3.4.5] (eth0) | gateway (2 nic, eth0 & eth1) | [local_ip:192.168.1.1] (eth1) | switch-------------------------[LAN user(eth0 ip:192.168.1.3)] | [local_ip:192.168.1.2] (eth0) | web server i already did below iptables rules on gateway -A FORWARD -p tcp -m tcp -i eth0 -o eth1 --dport 80 -j ACCEPT -t nat -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.1.2:80 and users from outside LAN can access my webserver by typing www.ggg.com via any browser but LAN user cant access by typing www.ggg.com, they only can access by typing 192.168.1.2 i also tried and added below rules -A FORWARD -i eth0 -o eth1 -j ACCEPT -A FORWARD -i eth1 -o eth0 -j ACCEPT -t nat -A PREROUTING -i eth1 -s 192.168.1.0/24 -d 2.3.4.5 -p tcp -m tcp --dport 80 -j DNAT --to 192.168.1.2:80 but also failed please help. thank you very much!!!!!! |
anyone? please help! thanks! billion billion thank
|
This is normally done by either running your own name server for lan users or editing the users' hosts file. Maybe you could do it in the gateway for lan users, but the ingress and outgress would both need to use eth1. You nat rule is for translating traffic from the net to your LAN address of the server. Note the "-i eth0". Traffic from the lan are coming in on eth1.
|
Quote:
thank you. is it you mean i need to use something like dnsmasq and do dns forward? is there any iptables rules to let my LAN users able to access via www.ggg.com without edit the hosts file can you please provide me more detail and information? can i solve it by edit my firewall? can you provide me sample of firewall rules? i did a lot of research and googling, but i still cant solve it. thank for help anyway, thank for your reply. |
You can only view the site inside the LAN by either using the IP address of the box where the Internet server is or the name if it is specified in the hosts file IF the boxes on the LAN use the same modem/router to access the Internet. This all to do with loop back on the public IP address. Its the local box asking for the the same address that it is located at. The network resolution just gets confused.
|
I'm going to have to go with the others here.
You need a local DNS server (handles the lan names and passes others outwards) or edit the hosts.conf file. A curious effect would be to use google from the lan user to search for www.ggg.com, and use that link to connect. You could also create a launcher which opens the browser te the web server, or just set it as the default homepage. |
well i'd say that whilst DNS is probably one of the best ways to do this, it's not the only and firewall rules should be able to do the job. I'm not quite sure why your internal nat doesn't work, if you put --to instead of --to-destination as a typo it should really be ok. if you are doing stateful connection tracking within this firewall then that could cause issues as you'd only be seeing half the data on the firewall (client to server. server to client would go direct, not via the firewall unless you did a snat too.)
you could also put a really nominal web service only listening on the inside of the firewall (lighttpd or somesuch) to return a 302 back to the client pointing them at the IP of the real box, but that's pretty hacky. if you made your firewall box run DNS then you would have a nicer architecture in general anyway. |
| All times are GMT -5. The time now is 10:50 AM. |