LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 02-20-2008, 09:52 PM   #1
shio
LQ Newbie
 
Registered: Jul 2007
Posts: 19

Rep: Reputation: 0
Unhappy after port forwarding to web server, lan user cant access by typing www via browser


Hi All,

please help on this. billion thanks.

here is my case

[wan_ip:2.3.4.5]
(eth0)
|
gateway (2 nic, eth0 & eth1)
|
[local_ip:192.168.1.1]
(eth1)
|
switch-------------------------[LAN user(eth0 ip:192.168.1.3)]
|
[local_ip:192.168.1.2]
(eth0)
|
web server

i already did below iptables rules on gateway
-A FORWARD -p tcp -m tcp -i eth0 -o eth1 --dport 80 -j ACCEPT
-t nat -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.1.2:80

and users from outside LAN can access my webserver by typing www.ggg.com via any browser but LAN user cant access by typing www.ggg.com, they only can access by typing 192.168.1.2

i also tried and added below rules
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-t nat -A PREROUTING -i eth1 -s 192.168.1.0/24 -d 2.3.4.5 -p tcp -m tcp --dport 80 -j DNAT --to 192.168.1.2:80

but also failed

please help. thank you very much!!!!!!
 
Old 02-20-2008, 11:05 PM   #2
shio
LQ Newbie
 
Registered: Jul 2007
Posts: 19

Original Poster
Rep: Reputation: 0
anyone? please help! thanks! billion billion thank
 
Old 02-20-2008, 11:17 PM   #3
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
This is normally done by either running your own name server for lan users or editing the users' hosts file. Maybe you could do it in the gateway for lan users, but the ingress and outgress would both need to use eth1. You nat rule is for translating traffic from the net to your LAN address of the server. Note the "-i eth0". Traffic from the lan are coming in on eth1.
 
Old 02-20-2008, 11:27 PM   #4
shio
LQ Newbie
 
Registered: Jul 2007
Posts: 19

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by jschiwal View Post
This is normally done by either running your own name server for lan users or editing the users' hosts file. Maybe you could do it in the gateway for lan users, but the ingress and outgress would both need to use eth1. You nat rule is for translating traffic from the net to your LAN address of the server. Note the "-i eth0". Traffic from the lan are coming in on eth1.
hi,

thank you. is it you mean i need to use something like dnsmasq and do dns forward? is there any iptables rules to let my LAN users able to access via www.ggg.com without edit the hosts file

can you please provide me more detail and information? can i solve it by edit my firewall? can you provide me sample of firewall rules?

i did a lot of research and googling, but i still cant solve it.

thank for help

anyway, thank for your reply.
 
Old 02-21-2008, 06:27 AM   #5
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
You can only view the site inside the LAN by either using the IP address of the box where the Internet server is or the name if it is specified in the hosts file IF the boxes on the LAN use the same modem/router to access the Internet. This all to do with loop back on the public IP address. Its the local box asking for the the same address that it is located at. The network resolution just gets confused.
 
Old 02-24-2008, 04:30 AM   #6
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
I'm going to have to go with the others here.
You need a local DNS server (handles the lan names and passes others outwards) or edit the hosts.conf file.

A curious effect would be to use google from the lan user to search for www.ggg.com, and use that link to connect. You could also create a launcher which opens the browser te the web server, or just set it as the default homepage.
 
Old 02-24-2008, 10:38 AM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,344

Rep: Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945
well i'd say that whilst DNS is probably one of the best ways to do this, it's not the only and firewall rules should be able to do the job. I'm not quite sure why your internal nat doesn't work, if you put --to instead of --to-destination as a typo it should really be ok. if you are doing stateful connection tracking within this firewall then that could cause issues as you'd only be seeing half the data on the firewall (client to server. server to client would go direct, not via the firewall unless you did a snat too.)

you could also put a really nominal web service only listening on the inside of the firewall (lighttpd or somesuch) to return a 302 back to the client pointing them at the IP of the real box, but that's pretty hacky.

if you made your firewall box run DNS then you would have a nicer architecture in general anyway.

Last edited by acid_kewpie; 02-24-2008 at 10:39 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
port forwarding via web server nerd32768 Linux - Networking 1 09-21-2005 01:21 PM
Cannot access server with www.domain.com:port nr1dane Linux - Networking 4 02-06-2005 04:14 PM
Apache Web Server - access from the www vesta41 Linux - Software 8 01-07-2004 06:55 PM
Can't access Linux web server web pages from LAN client jaydave Linux - Networking 4 03-16-2003 02:38 AM
Forward port port 80 to lan web server dulaus Linux - Networking 9 10-04-2002 03:45 AM


All times are GMT -5. The time now is 07:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration