-   Linux - Networking (
-   -   Routing LAN -> WAN -> LAN with unhelpful router (

synx13 06-13-2004 03:45 PM

Routing LAN -> WAN -> LAN with unhelpful router
Hi, I bought a rather gimpy router. Amongst other things, it won't loop any packets directed from the internal network through its packet filter. That means I can set up my external IP to forward a port to my back computer, but if I try to access my external IP from either computer instead of routing the request through that system and giving me a connection to my back computer, it gives me a connection to itself.

External IP: A (is static IP from ISP)
Internal IP: F (front computer) B (back computer) R (router IP)

On a forwarded port from A -> B
When I from computer F try to access A, I get R.
When anyone outside the LAN tries to access A, they get B.

What should I do to solve this? I have tried a few things, but still run into difficulties.

First I tried using iptables, failed miserably. Anyone who can help with that, by all means advise me. ;) Then, I went and got one of those "free" DNS names, and in my /etc/hosts file I added the DNS name associated with my back computer. That works pretty well! Except... that means I can't host any services on my front computer, and believe me my poor little back computer can't handle much more than a web server even though no one ever needs to reboot it into Windows like this front computer here. ;p

The reason I can't host services is when I set the configuration files for something like jabber to consider itself named 'localhost' then any external connections through a forwarded port on my router will choke upon seeing my server named "" and not "localhost." Obviously I'm an evil hacker trying to spoof DNS names. If I set up any of these services to think of themselves as "" then I can't access them from inside the LAN, since all queries to that name resolve to A, which gives me my router. Not the computer it should have been forwarded to.

The same goes for that DNS name I got. If I try to access my service by that name it sends me to the back computer when I wanted to stay in the front. Nothing is listening on the back computer.

There are some services which require a solid stately unchanging secure DNS name, otherwise they die screaming bloody security breach. Should I get /two/ DNS names that both point toward address A, and in my internal /etc/hosts use those to specify front and back computer? Is there some way from my front computer, I can first resolve to my back computer in /etc/hosts, then use iptables to change it back to my front comptuer for certain ports I intend for my front computer?

I tried in F's nat table:
iptables -t nat -A PREROUTING -p TCP --destination B --dport 1234 -j DNAT --to-destination F
But all attempts from F to connect to B at port 1234 still go to B and not to F.

Here's my routing table for F... do I have something set up wrong?



Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface  U    0      0        0 eth0        UG    0      0        0 eth0

Newb001 06-13-2004 03:57 PM

So you want to access B from F with A instead of accessing R with A?

synx13 06-14-2004 02:35 PM


Originally posted by Newb001
So you want to access B from F with A instead of accessing R with A?
Close, I've got my sites set a bit higher than that. I already figured a way to access B from F with A by adding the wrong DNS entry in my /etc/hosts file so that what resolves to A for everyone else resolves to B for me. Quite a hack, but it sorta works.

I would like to access B from F with A for certain ports, and F from F with A from other ports.


All times are GMT -5. The time now is 03:16 AM.