Access NATted webserver from inside the network

Hello,

I would like to know if it is possible to access a NATted webserver with
its external address from inside the network, and how.

Here's my network :

Webserver :
IP 192.168.0.54, connected to LAN

Router/gateway :
IP 192.168.0.55 on eth0, connected to LAN
Dynamic IP on ppp0, connected to Internet
routing port 80 (DNAT) to 192.168.0.54

LAN clients :
IP 192.168.0.xx, connected on LAN

I use dyndns services so i can access my server from outside with URL
like xxx.dyndns.org, and it works.

The problem is, from the LAN i would also like to access the webserver by
using the xxx.dyndns.org URL.

Here are my iptables rules :

iptables -P INPUT DROP
iptables -F INPUT

iptables -P OUTPUT ACCEPT
iptables -F OUTPUT

iptables -P FORWARD DROP
iptables -F FORWARD

iptables -t nat -F

iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -j ACCEPT

iptables -A FORWARD -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.54

iptables -A INPUT -i ppp0 -j REJECT --reject-with icmp-port-unreachable

iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Thanks in advance,

Sebmil.

sebmil wrote:

> Hello,
>
> I would like to know if it is possible to access a NATted webserver
> with its external address from inside the network, and how.

If you have a DNS server on your network, this is trivial. See any of
the DNS howtos - google is your friend.

--
The email address above is a spamtrap. Non-spam email sent to alexp@ the
same domain should reach me

sebmil <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)> ...
> Hello,
>
> I would like to know if it is possible to access a NATted webserver with
> its external address from inside the network, and how.
>
> Here's my network :
>
> Webserver :
> IP 192.168.0.54, connected to LAN
>
> Router/gateway :
> IP 192.168.0.55 on eth0, connected to LAN
> Dynamic IP on ppp0, connected to Internet
> routing port 80 (DNAT) to 192.168.0.54
>
> LAN clients :
> IP 192.168.0.xx, connected on LAN
>
> I use dyndns services so i can access my server from outside with URL
> like xxx.dyndns.org, and it works.
>
> The problem is, from the LAN i would also like to access the webserver by
> using the xxx.dyndns.org URL.
>
[snip]
>
> Thanks in advance,
>
> Sebmil.

Quick review -- to make sure _I_ understand what you're thinking ;-)

xxx.dyndns.org is a stable url that is updated to reflect your
changing _public_ IP (on ppp0)
192.168.0.54 is the stable IP of your web server
you use port forwarding to direct incoming traffic thus:
iptables -A FORWARD -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT
--to-destination 192.168.0.54

Currently, lan traffic to your web server (using xxx.dyndns.org) must
go out to dyndns.org to fetch the IP of your ppp0 interface -- you
would like to intercept that fetch and have lan traffic headed for
xxx.dyndns.org to be routed directly to 192.168.0.54:80.

Unless I had a number of other reasons to use an internal/forwarding
DNS server, I would consider this approach to be like calling for a
backhoe operator to help me plant a dozen bulbs ;-)

Facts:
192.168.0.54 is as stable as _you_ make it.
xxx.dyndns.org is as stable as it is -- any changes would have to be
propogated in a number of ways -- but assume it is satisfactory
therefore, we need a way to associate stable xxx.dyndns.org with never
changing 192.168.0.54 _only_ for your lan machines -- /etc/hosts would
be my candidate.

Yes, it's a pain in the arse to edit or overwrite /etc/hosts on each
machine on the lan, but once done, your done -- till xxx.dyndns.org
changes or you decide to change your web server's IP. It will give
you practice doing remote admin via telnet ;-)

Otherwise, you have to write a netfilter rule that says any traffic
from lan headed for the IP of ppp0 (port 80) will be forwarded to
192.168.0.54:80, but to get the IP of ppp0 you have to fetch it
somehow -- script, DNS, or an out-n-back fetch with each (uncached)
request. There should be some posts around here on how to use a
script to get the IP of ppp0 (after it's up of course) then insert the
rule via your iptable script. Or you might try:
http://www.linuxguruz.com/iptables/ for a similar script.

BTW, not knowing your netmask, I'm assuming that your web server is
truly _inside_ your lan -- ie., you're inviting the outside world
_into_ your private net. Would be much safer/secure to get another
nic in your GW and place that web server in a proper DMZ on its own
network if at all possible. It would scare me if this lan is part of a
business operation of any kind. A switch (rather than a hub) won't be
of much help. I would rate this a higher priority than your stated
problem /;~(

hth,
prg
email above disabled

P Gentry wrote:
> sebmil <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)> ...
>
>
> Facts:
> 192.168.0.54 is as stable as _you_ make it.
> xxx.dyndns.org is as stable as it is -- any changes would have to be
> propogated in a number of ways -- but assume it is satisfactory
> therefore, we need a way to associate stable xxx.dyndns.org with never
> changing 192.168.0.54 _only_ for your lan machines -- /etc/hosts would
> be my candidate.
>
> Yes, it's a pain in the arse to edit or overwrite /etc/hosts on each
> machine on the lan, but once done, your done -- till xxx.dyndns.org
> changes or you decide to change your web server's IP. It will give
> you practice doing remote admin via telnet ;-)
>

To keep the lower back healtier:

I suggest setting up dnsmasq to the router host. It does cache the
DNS queries to the other nodes in the local network and it can
also propagate the entries from then /etc/hosts file of the router
to the other nodes in the local network, so there will be only
one /etc/hosts file to maintain.

Tauno Voipio
tauno voipio (at) iki fi

>> I would like to know if it is possible to access a NATted webserver with
>> its external address from inside the network, and how.
>>
>> Here's my network :
>>
>> Webserver :
>> IP 192.168.0.54, connected to LAN
>>
>> Router/gateway :
>> IP 192.168.0.55 on eth0, connected to LAN Dynamic IP on ppp0, connected
>> to Internet routing port 80 (DNAT) to 192.168.0.54
>>
>> LAN clients :
>> IP 192.168.0.xx, connected on LAN
>>
>> I use dyndns services so i can access my server from outside with URL
>> like xxx.dyndns.org, and it works.
>>
>> The problem is, from the LAN i would also like to access the webserver
>> by using the xxx.dyndns.org URL.
>>
> [snip]
>
> Quick review -- to make sure _I_ understand what you're thinking ;-)
>
> xxx.dyndns.org is a stable url that is updated to reflect your changing
> _public_ IP (on ppp0)
> 192.168.0.54 is the stable IP of your web server you use port forwarding
> to direct incoming traffic thus: iptables -A FORWARD -i ppp0 -p tcp
> --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport
> 80 -j DNAT --to-destination 192.168.0.54

Right

> Currently, lan traffic to your web server (using xxx.dyndns.org) must go
> out to dyndns.org to fetch the IP of your ppp0 interface -- you would like
> to intercept that fetch and have lan traffic headed for xxx.dyndns.org to
> be routed directly to 192.168.0.54:80.

Not really, I want to use 2 hops to access my local server

Currently I use a local DNS server which tells "xxx.dyndns.org is
192.168.0.54" to all LAN clients, but this way i can't be sure that the
website is still usable from outside, using the real dyndns IP.

So i would like to be able to access it like if i was outside the LAN,
without using an external proxy or so.

I think the main problem is the packet arrives on the router, going to
it's external IP, and can't be forwarded to the server, or maybe the
server's answer can't be routed back to the local client.

> BTW, not knowing your netmask, I'm assuming that your web server is truly
> _inside_ your lan -- ie., you're inviting the outside world _into_ your
> private net. Would be much safer/secure to get another nic in your GW and
> place that web server in a proper DMZ on its own network if at all
> possible. It would scare me if this lan is part of a business operation of
> any kind. A switch (rather than a hub) won't be of much help. I would
> rate this a higher priority than your stated problem /;~(

Right now it's only a private server, used by a few people country-wide
for a group work, and this box can't communicate with other LAN boxes
until someone gets root on it and changes iptables rules.
Of course a real DMZ would be better but it's not that critical as the box
(and the LAN) is of no interest to the public.
Of course, all software are regularly updated.

Thanks for the concern.

> To keep the lower back healtier:
> (snip)

Thanks for your answer, please look at my answer to P Gentry as it seems
that my initial explanation was not clear.

>> I would like to know if it is possible to access a NATted webserver with
>> its external address from inside the network, and how.
>
> If you have a DNS server on your network, this is trivial. See any of the
> DNS howtos - google is your friend.

Thank you for your answer.
Currently I have a local DNS server with does exactly what you have in
mind, but the problem is not here, please look at my answer to P Gentry
for details.

sebmil wrote:
>>>I would like to know if it is possible to access a NATted webserver with
>>>its external address from inside the network, and how.
>>>
>>>Here's my network :
>>>
>>>Webserver :
>>>IP 192.168.0.54, connected to LAN
>>>
>>>Router/gateway :
>>>IP 192.168.0.55 on eth0, connected to LAN Dynamic IP on ppp0, connected
>>>to Internet routing port 80 (DNAT) to 192.168.0.54
>>>
>>>LAN clients :
>>>IP 192.168.0.xx, connected on LAN
>>>
>>>I use dyndns services so i can access my server from outside with URL
>>>like xxx.dyndns.org, and it works.
>>>
>>>The problem is, from the LAN i would also like to access the webserver
>>>by using the xxx.dyndns.org URL.
>>>
>>
>>[snip]
>>
>>Quick review -- to make sure _I_ understand what you're thinking ;-)
>>
>>xxx.dyndns.org is a stable url that is updated to reflect your changing
>>_public_ IP (on ppp0)
>>192.168.0.54 is the stable IP of your web server you use port forwarding
>>to direct incoming traffic thus: iptables -A FORWARD -i ppp0 -p tcp
>>--dport 80 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport
>>80 -j DNAT --to-destination 192.168.0.54
>
>
> Right
>
>
>>Currently, lan traffic to your web server (using xxx.dyndns.org) must go
>>out to dyndns.org to fetch the IP of your ppp0 interface -- you would like
>>to intercept that fetch and have lan traffic headed for xxx.dyndns.org to
>>be routed directly to 192.168.0.54:80.
>
>
> Not really, I want to use 2 hops to access my local server
>
> Currently I use a local DNS server which tells "xxx.dyndns.org is
> 192.168.0.54" to all LAN clients, but this way i can't be sure that the
> website is still usable from outside, using the real dyndns IP.
>
> So i would like to be able to access it like if i was outside the LAN,
> without using an external proxy or so.
>
> I think the main problem is the packet arrives on the router, going to
> it's external IP, and can't be forwarded to the server, or maybe the
> server's answer can't be routed back to the local client.
>
>
>>BTW, not knowing your netmask, I'm assuming that your web server is truly
>>_inside_ your lan -- ie., you're inviting the outside world _into_ your
>>private net. Would be much safer/secure to get another nic in your GW and
>>place that web server in a proper DMZ on its own network if at all
>>possible. It would scare me if this lan is part of a business operation of
>>any kind. A switch (rather than a hub) won't be of much help. I would
>>rate this a higher priority than your stated problem /;~(
>
>
> Right now it's only a private server, used by a few people country-wide
> for a group work, and this box can't communicate with other LAN boxes
> until someone gets root on it and changes iptables rules.
> Of course a real DMZ would be better but it's not that critical as the box
> (and the LAN) is of no interest to the public.
> Of course, all software are regularly updated.
>
> Thanks for the concern.

Maybe you should think about setting up a VPN (Virtual Private Network)
among the intended users, so the server is local to the private network
for all participants and invisible to all others.

The idea of a VPN is to package the internal network's IP's packets to
an external transport packet and use the Internet to transport these.
For security and privacy, the contents are usually also encrypted.

Using Linux gateways, my favourite VPN is CIPE.

Tauno Voipio
tauno voipio (at) iki fi

sebmil wrote:

>>> I would like to know if it is possible to access a NATted webserver
>>> with its external address from inside the network, and how.
>>>
>>> Here's my network :
>>>
>>> Webserver :
>>> IP 192.168.0.54, connected to LAN
>>>
>>> Router/gateway :
>>> IP 192.168.0.55 on eth0, connected to LAN Dynamic IP on ppp0,
>>> connected to Internet routing port 80 (DNAT) to 192.168.0.54
>>>
>>> LAN clients :
>>> IP 192.168.0.xx, connected on LAN
>>>
>>> I use dyndns services so i can access my server from outside with
>>> URL like xxx.dyndns.org, and it works.
>>>
>>> The problem is, from the LAN i would also like to access the
>>> webserver by using the xxx.dyndns.org URL.
>>>
>> [snip]
>>
>> Quick review -- to make sure _I_ understand what you're thinking ;-)
>>
>> xxx.dyndns.org is a stable url that is updated to reflect your
>> changing _public_ IP (on ppp0)
>> 192.168.0.54 is the stable IP of your web server you use port
>> forwarding to direct incoming traffic thus: iptables -A FORWARD -i
>> ppp0 -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -i
>> ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.54
>
> Right
>
>> Currently, lan traffic to your web server (using xxx.dyndns.org) must
>> go out to dyndns.org to fetch the IP of your ppp0 interface -- you
>> would like to intercept that fetch and have lan traffic headed for
>> xxx.dyndns.org to be routed directly to 192.168.0.54:80.
>
> Not really, I want to use 2 hops to access my local server
>
> Currently I use a local DNS server which tells "xxx.dyndns.org is
> 192.168.0.54" to all LAN clients, but this way i can't be sure that
> the website is still usable from outside, using the real dyndns IP.
>
> So i would like to be able to access it like if i was outside the LAN,
> without using an external proxy or so.
>
> I think the main problem is the packet arrives on the router, going to
> it's external IP, and can't be forwarded to the server, or maybe the
> server's answer can't be routed back to the local client.
>
>> BTW, not knowing your netmask, I'm assuming that your web server is
>> truly _inside_ your lan -- ie., you're inviting the outside world
>> _into_ your
>> private net. Would be much safer/secure to get another nic in your
>> GW and place that web server in a proper DMZ on its own network if at
>> all possible. It would scare me if this lan is part of a business
>> operation of
>> any kind. A switch (rather than a hub) won't be of much help. I
>> would rate this a higher priority than your stated problem /;~(
>
> Right now it's only a private server, used by a few people
> country-wide for a group work, and this box can't communicate with
> other LAN boxes until someone gets root on it and changes iptables
> rules. Of course a real DMZ would be better but it's not that critical
> as the box (and the LAN) is of no interest to the public.
> Of course, all software are regularly updated.
>
> Thanks for the concern.

I have almost exactly the same situation as you. I use bind to provide
DNS to my LAN - If you care to email me, I'll provide you with my
config files.

Tauno Voipio <(E-Mail Removed)> wrote in message news:<s2RRc.405$(E-Mail Removed)>...
> P Gentry wrote:
> > sebmil <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)> ...
> >
> >
> > Facts:
> > 192.168.0.54 is as stable as _you_ make it.
> > xxx.dyndns.org is as stable as it is -- any changes would have to be
> > propogated in a number of ways -- but assume it is satisfactory
> > therefore, we need a way to associate stable xxx.dyndns.org with never
> > changing 192.168.0.54 _only_ for your lan machines -- /etc/hosts would
> > be my candidate.
> >
> > Yes, it's a pain in the arse to edit or overwrite /etc/hosts on each
> > machine on the lan, but once done, your done -- till xxx.dyndns.org
> > changes or you decide to change your web server's IP. It will give
> > you practice doing remote admin via telnet ;-)
> >
>
> To keep the lower back healtier:
>
> I suggest setting up dnsmasq to the router host. It does cache the
> DNS queries to the other nodes in the local network and it can
> also propagate the entries from then /etc/hosts file of the router
> to the other nodes in the local network, so there will be only
> one /etc/hosts file to maintain.
>
> Tauno Voipio
> tauno voipio (at) iki fi

Ah! I couldn't remember the name of this to save my life -- so kept
quiet in case it was my imagination. Worse yet, I've actually
installed it for others 2-3 times over the years. Memory must be
going south ;-(grrr)

thanks for the reminder,
prg
email above disabled