another httpd port forwarding question

dsp444 · 01-19-2005, 09:41 AM

OK - I have set up a webserver (using apache) on one of my machines (192.168.0.5). I have my router/firewall machine forwarding port 80 to to that machine. However, I have one small issue - I cannot access the webserver from my other internal machines.

I have tried to pare down my firewall script to the simplest possible but cannot get it to work. Below is my very simple (insecure) firewall script :

Code:

# Reset to accept
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -P FORWARD ACCEPT

# Flush all rules
        $IPTABLES -F
        $IPTABLES -F -t nat

# Erase all user defined chains
        $IPTABLES -X
        $IPTABLES -X -t nat

# Enable SNAT and forward httpd requests
        $IPTABLES -t nat -A PREROUTING -p tcp -d $STATIC_IP --dport 80 -j DNAT --to-destination 192.168.0.5:80
        $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $STATIC_IP

$EXTIF = eth0 and $STATIC_IP is my ISP supplied static IP address.
(and yes i have ip_forward set to 1)

Here is a summary of what works and what doesn't work:

if I try to go to mydomainname from any external machine, it works
if I try to go to 192.168.0.5 from any intenal machine, it works
if I try to go to mydomainname from any internal machine, it DOESN'T WORK
if I try to go to $STATIC_IP from any internal machine, it DOESN'T WORK

Does that make sense? Do I need another PREROUTING or POSTROUTING rule for the internal machines?

Any help or advice would be greatly appreciated, I've been fighting this one little thing for too long.

Thanks
Dan

TigerOC · 01-19-2005, 02:28 PM

The answer is that you cannot look at yourself. You are trying go out and come in on the same route which is not possible. The only way you can do this is by working through a proxy in your browser. If you use Mozilla/Firefox then go to Edit ->preferences -> General and alter the connection settings to a public proxy server. Technically you should ask permission of the owners of the proxy server to use their address before you do this. I have tried this myself to check the behaviour and speed of my own server.

twsnnva · 01-19-2005, 02:32 PM

Is the linux router/firewall running dnsmasq? If so all you need to do is add this to the /etc/hosts file on the firewall.

Code:

192.168.0.5 yourdomainname

You should then be able to access the server by the domain name from the local network.

Thomas

dsp444 · 01-19-2005, 07:26 PM

OK - thanks for the info. Guess I've been beating my head against the wall for no reason. Its not that big of deal, but I thought I was completely missing the boat or something. I'll just make internal users use the name of the machine specified in the "hosts" file on each machine. (And no I'm not running dnsmasq )

Thanks again for the help and suggestions