Re: Access NATted webserver from inside the network

From: P Gentry (rdgentry1_at_cablelynx.com)
Date: 08/09/04

  • Next message: John-Paul Stewart: "Re: Router - IP in IP" 
    Date: 9 Aug 2004 10:14:30 -0700

    sebmil <sebmil@invalid.mail> wrote in message news:<pan.2004.08.08.20.56.55.576135@invalid.mail>...
    > Hello,
    >
    > I would like to know if it is possible to access a NATted webserver with
    > its external address from inside the network, and how.
    >
    > Here's my network :
    >
    > Webserver :
    > IP 192.168.0.54, connected to LAN
    >
    > Router/gateway :
    > IP 192.168.0.55 on eth0, connected to LAN
    > Dynamic IP on ppp0, connected to Internet
    > routing port 80 (DNAT) to 192.168.0.54
    >
    > LAN clients :
    > IP 192.168.0.xx, connected on LAN
    >
    > I use dyndns services so i can access my server from outside with URL
    > like xxx.dyndns.org, and it works.
    >
    > The problem is, from the LAN i would also like to access the webserver by
    > using the xxx.dyndns.org URL.
    >
    [snip]
    >
    > Thanks in advance,
    >
    > Sebmil.

    Quick review -- to make sure _I_ understand what you're thinking ;-)

    xxx.dyndns.org is a stable url that is updated to reflect your
    changing _public_ IP (on ppp0)
    192.168.0.54 is the stable IP of your web server
    you use port forwarding to direct incoming traffic thus:
    iptables -A FORWARD -i ppp0 -p tcp --dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT
    --to-destination 192.168.0.54

    Currently, lan traffic to your web server (using xxx.dyndns.org) must
    go out to dyndns.org to fetch the IP of your ppp0 interface -- you
    would like to intercept that fetch and have lan traffic headed for
    xxx.dyndns.org to be routed directly to 192.168.0.54:80.

    Unless I had a number of other reasons to use an internal/forwarding
    DNS server, I would consider this approach to be like calling for a
    backhoe operator to help me plant a dozen bulbs ;-)

    Facts:
    192.168.0.54 is as stable as _you_ make it.
    xxx.dyndns.org is as stable as it is -- any changes would have to be
    propogated in a number of ways -- but assume it is satisfactory
    therefore, we need a way to associate stable xxx.dyndns.org with never
    changing 192.168.0.54 _only_ for your lan machines -- /etc/hosts would
    be my candidate.

    Yes, it's a pain in the arse to edit or overwrite /etc/hosts on each
    machine on the lan, but once done, your done -- till xxx.dyndns.org
    changes or you decide to change your web server's IP. It will give
    you practice doing remote admin via telnet ;-)

    Otherwise, you have to write a netfilter rule that says any traffic
    from lan headed for the IP of ppp0 (port 80) will be forwarded to
    192.168.0.54:80, but to get the IP of ppp0 you have to fetch it
    somehow -- script, DNS, or an out-n-back fetch with each (uncached)
    request. There should be some posts around here on how to use a
    script to get the IP of ppp0 (after it's up of course) then insert the
    rule via your iptable script. Or you might try:
    http://www.linuxguruz.com/iptables/ for a similar script.

    BTW, not knowing your netmask, I'm assuming that your web server is
    truly _inside_ your lan -- ie., you're inviting the outside world
    _into_ your private net. Would be much safer/secure to get another
    nic in your GW and place that web server in a proper DMZ on its own
    network if at all possible. It would scare me if this lan is part of a
    business operation of any kind. A switch (rather than a hub) won't be
    of much help. I would rate this a higher priority than your stated
    problem /;~(

    hth,
    prg
    email above disabled

  • Next message: John-Paul Stewart: "Re: Router - IP in IP"

    Relevant Pages

    • Re: Auth Error using IP vs Host Name
      ... So what it seems like is that the router is forwarding outside people's port ... 80 HTTP requests to the web server, but when I try it from inside the ... network, the router is only looking at itself.. ... > I am inside my LAN trying to connect to a webserver that is on the same ...
      (microsoft.public.inetserver.iis.security)
    • RE: question about web server
      ... Based on my knowledge, we can place the web server in inside LAN, and we ... also can place the web server outside the LAN between firewall and router. ... In SBS network, we usual have the following topology: ...
      (microsoft.public.windows.server.sbs)
    • Re: IIS and the Local machine
      ... >have no problem accessing the web site from anywhere outside my LAN or from ... >other machines on my network except the web server itself. ...
      (microsoft.public.inetserver.iis)
    • Re: Loss of Connectivity on Only One PC on a LAN
      ... When you ran the Network Setup Wizard, ... The original setup of the LAN was done entirely by the user of the other PC on that LAN in July. ... I use a LAN connection which consists of two PCs each connected to a Linksys BEFSR 41 Router. ...
      (microsoft.public.windowsxp.network_web)
    • Re: TCPIP - Ping tool
      ... Strangely enough the answer was under your nose all along, namely PING. ... If your "internal network" corresponds to a Local Area Network (LAN), ... assume the subnet address for your LAN is 192.168.10.0 and the subnet mask ...
      (bit.listserv.ibm-main)