LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-26-2002, 07:26 AM   #1
mkostrze
LQ Newbie
 
Registered: Apr 2002
Posts: 2

Rep: Reputation: 0
Question How to access hosts from LAN through public ip?


Hello,

I have LAN and some services on LANs hosts. I also have a firewall (iptables) configured so you can access this services from the internet, using my public ip and proper port number (done with NAT).
But when I want to acces the same service from LAN, I have to use its local IP.

I wonder if it's possible to configure iptables on the firewall so I can write in my *local net* in browser
http://my_public_ip/addr/ (which currently works only from outside)
instead of using
http://local_ip_of_host/addr


thank you and best regards,
Mike
 
Old 04-26-2002, 07:51 AM   #2
akohlsmith
Member
 
Registered: Apr 2002
Distribution: Slackware
Posts: 114

Rep: Reputation: 15
post your iptables config

There is something misconfigured in your firewall. I can hit a port-forwarded service by accessing the external IP without issue.

i.e.

LAN
web server
192.168.1.80:80

my notebook
192.168.1.77

eth0 - 192.168.1.1
FIREWALL
eth1 - 66.77.88.99
(SNAT 192.168.1.0/24 to 66.77.88.99)
(DNAT 66.77.88.99:80 to 192.168.1.80:80)
(allow packets from eth0 to eth1 to be forwarded)
(allow related packets to be forwarded)
(allow syn from 66.77.88.99:80 to be forwarded)

now if, with my notebook, I pop up Konqueror and say "http://66.77.88.99/" the web server's default page pops up.
 
Old 04-26-2002, 07:57 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,466
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
/* Btw, this post should be in /Networking since it's no security issue (AFAIC). Please consider posting to the right forum next time, thnx. */
 
Old 04-26-2002, 09:06 AM   #4
mkostrze
LQ Newbie
 
Registered: Apr 2002
Posts: 2

Original Poster
Rep: Reputation: 0
Sorry for posting on this forum, but in the description is "firewalls" and iptables *is* a firewall , OK, OK I know my problem is not a security problem.


Thanks for the answer, but I can't figure it out anyway
I have things like that (parts from my firewall script):

...
iptables -t nat -F
iptables -F
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
...
iptables -t nat -A POSTROUTING -j SNAT -o eth0 --to $PUBLIC_IP
....
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT -i eth0 --to-destination $LOCAL_IP_OF_WEB_SERVER:80
works from outside, doesn't work from inside... What important
thing is missing ?


thanks and regards,
 
Old 04-26-2002, 09:34 AM   #5
akohlsmith
Member
 
Registered: Apr 2002
Distribution: Slackware
Posts: 114

Rep: Reputation: 15
Lightbulb idea

Not much of a *firewall* but hey. :-)

It looks like you won't get it to run as is because you're rewriting the packet after it's gone through routing -- you're DNAT'ing in the POSTROUTING chain, which means you can't loop back around and come back out another interface (i.e. the one you're coming in on)

You need to do something like a REDIRECT but instead of hitting the firewall itself, you need to send it back in.

Something like

-A PREROUTING -p tcp -s 192.168.1.0/24 -d $PUBLIC_IP --dport 80 -j DNAT --to-destination $LOCAL_HTTP_IP

that should rewrite the destination BEFORE the routing phase so it would come back out the right port, but I'm not 100% sure. You may need a SNAT line in your POSTROUTING chain to change the IP addy back to $PUBLIC_IP so the computers contacting the web server see the response coming from the "right" address

offhand, why not just solve this with DNS? internal DNS servers can resolve the web server with the internal IP, and external DNS requests get the external IP.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
public access help tallmtt Linux - Wireless Networking 3 06-05-2006 05:20 PM
VSFTPD - Public Access - How? n8tgc Linux - Networking 5 02-15-2005 06:19 PM
Connect to public access points mwademan Linux - Wireless Networking 0 03-02-2004 11:51 AM
Access apache virtual hosts from lan te_conway Linux - Networking 2 07-16-2002 09:20 AM
IPTABLES - LAN can't get to DMZ with public IP dknell Linux - Security 4 02-28-2002 08:02 AM


All times are GMT -5. The time now is 06:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration