Hello,

I have LAN and some services on LANs hosts. I also have a firewall (iptables) configured so you can access this services from the internet, using my public ip and proper port number (done with NAT).
But when I want to acces the same service from LAN, I have to use its local IP.

I wonder if it's possible to configure iptables on the firewall so I can write in my *local net* in browser
http://my_public_ip/addr/ (which currently works only from outside)
instead of using
http://local_ip_of_host/addr


thank you and best regards,
Mike

There is something misconfigured in your firewall. I can hit a port-forwarded service by accessing the external IP without issue.

i.e.

LAN
web server
192.168.1.80:80

my notebook
192.168.1.77

eth0 - 192.168.1.1
FIREWALL
eth1 - 66.77.88.99
(SNAT 192.168.1.0/24 to 66.77.88.99)
(DNAT 66.77.88.99:80 to 192.168.1.80:80)
(allow packets from eth0 to eth1 to be forwarded)
(allow related packets to be forwarded)
(allow syn from 66.77.88.99:80 to be forwarded)

now if, with my notebook, I pop up Konqueror and say "http://66.77.88.99/" the web server's default page pops up.

/* Btw, this post should be in /Networking since it's no security issue (AFAIC). Please consider posting to the right forum next time, thnx. */

Sorry for posting on this forum, but in the description is "firewalls" and iptables *is* a firewall , OK, OK I know my problem is not a security problem.


Thanks for the answer, but I can't figure it out anyway
I have things like that (parts from my firewall script):

...
iptables -t nat -F
iptables -F
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
...
iptables -t nat -A POSTROUTING -j SNAT -o eth0 --to $PUBLIC_IP
....
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT -i eth0 --to-destination $LOCAL_IP_OF_WEB_SERVER:80
works from outside, doesn't work from inside... What important
thing is missing ?


thanks and regards,

Not much of a *firewall* but hey. :-)

It looks like you won't get it to run as is because you're rewriting the packet after it's gone through routing -- you're DNAT'ing in the POSTROUTING chain, which means you can't loop back around and come back out another interface (i.e. the one you're coming in on)

You need to do something like a REDIRECT but instead of hitting the firewall itself, you need to send it back in.

Something like

-A PREROUTING -p tcp -s 192.168.1.0/24 -d $PUBLIC_IP --dport 80 -j DNAT --to-destination $LOCAL_HTTP_IP

that should rewrite the destination BEFORE the routing phase so it would come back out the right port, but I'm not 100% sure. You may need a SNAT line in your POSTROUTING chain to change the IP addy back to $PUBLIC_IP so the computers contacting the web server see the response coming from the "right" address

offhand, why not just solve this with DNS? internal DNS servers can resolve the web server with the internal IP, and external DNS requests get the external IP.