Hello all.

I need to make sth, because of my english i try to explain as less as I can.

I have a Fedora (1) with iptables and squid + apache on port 80. Fedora server has a static IP and is connected to the internet. Behind the iptables I have a NAT, and behind this NAT I have computers and other servers connected (Fedora makes as a firewall etc). Inside the network (where the client-computers are, there is also an another web server (3), also with port 80 opened. From Fedora I routed the port 88 from external interface on fedora to internal interface and port 80 at the second server machine (3).

The problem is, I MUST to make something, to achive the second web-server from inside the network using the external IP address (with port 88 routed to 80).
Now from outside the network i connect to first web server via "http://fedora_srv", to second web server through http://fedora_srv:88, and to second web server from inside the network via http://second_srv. I mus from inside the network achive the second web server thru http://fedora_srv:88.

Is that possible?
Thank you in advance.
Have a nice day.

Attached Thumbnails

 

This should be possible by using SNAT and DNAT together. you connect to 'fedora_srv' which will probably be a dns name which points to your outside IP address, right?

you could try something like this:
This way, the client would think it is communicating to your public IP addres of your server (which it is actually). The Fedora server would rewrite the destination (in the IP packets) to be the internal IP of the web server. This is being done 'Pre-routing' so the destination is rewritten just before a routing decision is being made. This is necessary because otherwise the decision would tell the routing engine to deliver the packet locally. Now it will have an alternative destination within the local network, causing it to go in 'FORWARD' instead of 'INPUT' chain. There you should allow packets to traverse from <internal network> to <internal network>.
In POSTROUTING (so AFTER the routing decision has been made), just before the packet is leaving the server again, the SOURCE IP in the packet is being rewritten (SNAT) to be the Fedora box. If you would not do that, the source would remain an internal IP addres of the client, causing the web server to DIRECTLY answer to the client, which is not what you want (the clietn does not expect this and will discard the response. The web server now responds to the Fedora box, which will forward the response back to the client.

The above iptables lines both work for 'ALL traffic' within its specification. You might want to narrow it down to 'protocol tcp, port 88', like the addition of '-p tcp --dport 88'.

I hope this little explanation makes it a bit clear AND that it answers your question. If not, please elaborate on your issue a bit further.


On a total side note, as a hint, you could also consider to use the port 80 and have Apache do a 'ProxyPass' to the internal web server. This way the whole SNAT / DNAT 'trick' would be unneeded. This involves a bit more apache knowledge though..

1 members found this post helpful.

I have maked something like this:

iptables -t nat -I PREROUTING -i eth1 -d <external ip address> -j DNAT --to-destination 192.168.25.3
iptables -t nat -I POSTROUTING -o eth1 -s <what exactly should I put there?> -j SNAT --to-source 192.168.25.1


eth1 is my internal and eth0 - external IP address
Local computer in the network have adresses 192.168.25.100-250

What should I do next? When I put in "<what exactly should I put there?>" number 192.168.25.0 - i get error 111 from squid.
How I can resolve the problem?
Thank you in advance.

Edit:

I noticed, that when I make in iptables sth like uppon i can not send/receive emails from my email server (fedora).

An error from squid? You are using a proxy as well?

With <internal network> I meant 192.168.25.0/24 meaning a network of 192.168.25.0 through 192.168.25.255.

Unsure about the reason why you are not able to use e-mail

'sth' ? short for 'something' ? and where to is your 'fedora' box e-mailing? could be because the SNAT rule is not set up right that e-mail suffers from it. Try using the '/24' suffix and see what happens. You could narrow down the possible impact by adding the above mentioned '-p tcp --dport 88' part in the statements. This should prevent any troubles on other services in any way.

Yes - I'm using a squid proxy server - he is installed on a "fedora" machine (with internal IP 192.168.25.1 and port 8080). On this machine is also an Apache (80) server for our homepage and webmail, and mail server. Inside the network (as I have wroten before) is also a second web server (OpenSuse), with an Apache on port 80 and MySQL.

When I put sth (yes, something ) like this into the iptables file:
the proxy server still refuses the connection with error number 111.
I can not check the mail sending now with the port statement '-p tcp --dport 88', because today I'm connecting with this network thru VPN, and I have not yet configured the VPN to allow mail sending from virtual network.

Maybe there is only the squid problem?
This error shows with and without your code.
Please advice.
Thank you.

In squid:
In iptables:
(internal iface eth1, external eth0)
I'm still getting a squid error - 111 connection refused


in iptables I have also a:
I tried to comment the last uppon lines, but with no effect.

Anyone want to help?

Oh, do you have the following line as well?

You need to accept the traffic as well.

And perhaps, you could run into trouble with ICMP redirects (unsure if this setup will do this, you'd have to sniff traffic for this... the next line would disable ICMP redirect messages from being sent by your router.. you can try if you still don't see the solution.. just to check.

This command just disables the router from sending ICMP redirect messages.

Hi.
Still nothing with the
I do not want to disable ICMP packets now, cause i'll kill the internet in the company...

This must be a squid problem...

Can I post here an iptables and squid config files to analyse?
What can I do next?
I also can put the second server (192.168.25.3) on the external IP with own firewall, but better for me is when the machine is behind the NAT...

I have deleted all previous code (from this topic) from the squid and iptables and have putted in iptables:
Works very well

Edit:

Don't works very well :/ When I try to connect with putty using this same ports on router and internal machine (for example 22) I get "connection refused" from putty. When I put in a browser a "domain_name:22" i see the protocol of the ssh version, so the redirect works, but I can not connect in that way with putty :/
What can be the problem?

Are you sure that the redirect works? Both boxes probably respond to port 22, and your rule as described only affects traffic of port tcp/88..

Before I would advice any further I would want to make sure I advice correctly, so I will have to set a test environment up for myself. If you'd allow me, I'll get back to you..

Looking at your line, you forward port 88 (external IP) through to fedora box internally on port 80.. That is what you want?

Here are my iptables (a part of them ):

On the port number 80 i have a httpd server on the 192.168.25.3. I redirect the port from WAN port 81 to the internal network 192.168.25.3 port 80 - everything works fine form inside and outside the network, so I can say, that I have achieved 50/50 what I want to.
Unfortunetly, I can not make that same thing (as I have described above) to SSH for example (I wrote for example, because I have an outlook plugin module, which I must to connect with my crm from inside and outside the network, and this is all about. This must to work from inside the network and outside the network, and the CMR system as i have wrote is behind the NAT, that is why I need to use my external domain inside the network).
On port number 723 i have a SSH on the machine IP number 192.168.25.3. This works inside the network and from outside, using a "domain_name:723" also works fine. When I put the address "domain_name:723" inside the network in web browsed than i get response from SSHd demon with a version number of the ssh protocol. When I put the same thing in the putty application than i get "connection refused" Firewall log at the crm server is clear, so the CRM server (192.168.25.3) don't block those requests, this must be an iptables on the router.

I want to remind, that I have also a squid proxy server. I have made a changes in squid config file and in iptables config as I have described above, preserving analogies from the redirect of the ports 81 => 80. Still don't work...

If you need any additional informations - do not hasitate to ask.
Thanks.

Okay,

I tried with a couple of virtual machines I set up... it worked as expected configuring it as I thought it should be...

Situation..

Laptop 1 (lt1), ip 172.23.44.89/24 on interface eth0. (Phys-LAN)
Laptop has a virtual interface virbr0 with 192.168.222.1/24 (Virt-LAN) configured

Virtual machine 1 (vm1) at 192.168.222.120, running apache on port 80 (eighty)
Virtual machine 2 (vm2) at 192.168.222.200, being a client in the same network as the service web server.
Workstation 1 (ws1) at 172.23.44.45/24, being a client in the wired network, outside the laptop.
The Laptop functions as the router / firewall.

Question: make it that when a machine (from Phys-LAN or Virt-LAN connects to the Laptop outside interface (172.23.44.89) on port 88 (eighty eight), it gets the web page served by Virtual Machine 1 (port 80) shown.

These are the rules that made it work for me:

What is working now?..
ws1 can enter http://lt1:81/ and will be served the page running on vm1 (at port 80).
ws1 can enter http://lt1/ and will be served the page on lt1 itself.. (if served)
vm2 can enter http://lt1:81/ and will also be served the page on vm1 (the 'REMOTE_ADDR' variable will disclose that vm1 sees the connection coming from lt1, not from vm2).

You can extend these settings to facilitate other protocols / ports of course.

Does this help you in a way ?

In response to your last post:

Looks rather fair.


Why forward port 81, as it is being rewritten to port 80, as well as you are asking the proxy to set the connection up.

Port 81 should not need to be opened on the INPUT chain. As it is being FORWARDed, it doesn't hit the INPUT chain. As for the squid proxy, it needs to be able to access the server as well on its own. The client shall contact the squid on its own port (3128 perhaps) and will forward the request.

A difference I notice is that you use 'OUTPUT' with DNAT, where I use POSTROUTING with DNAT. Not sure if DNAT is allowed in 'OUTPUT', in POSTROUTING it will also work for packets that are passing through. This might explain why your putty gets a 'connection refused'.

For non proxied connects this should work. For squid it could be more involving. I'll check the functionality with that soon..

You should remove the public IP addresses in your post. ( lt1 and ws1 )

You could replace them with something like a.b.c.d and a.b.g.h to illustrate their relationship without disclosing your actual information.

Thx, but how public are private IP addresses?

Addresses starting with 172 are not private. If these machines are not connected to the Internet then I guess there is no harm.