Re: Access NATted webserver from inside the network
From: P Gentry (rdgentry1_at_cablelynx.com)
Date: 9 Aug 2004 10:14:30 -0700
sebmil <email@example.com> wrote in message news:<firstname.lastname@example.org>...
> I would like to know if it is possible to access a NATted webserver with
> its external address from inside the network, and how.
> Here's my network :
> Webserver :
> IP 192.168.0.54, connected to LAN
> Router/gateway :
> IP 192.168.0.55 on eth0, connected to LAN
> Dynamic IP on ppp0, connected to Internet
> routing port 80 (DNAT) to 192.168.0.54
> LAN clients :
> IP 192.168.0.xx, connected on LAN
> I use dyndns services so i can access my server from outside with URL
> like xxx.dyndns.org, and it works.
> The problem is, from the LAN i would also like to access the webserver by
> using the xxx.dyndns.org URL.
> Thanks in advance,
Quick review -- to make sure _I_ understand what you're thinking ;-)
xxx.dyndns.org is a stable url that is updated to reflect your
changing _public_ IP (on ppp0)
192.168.0.54 is the stable IP of your web server
you use port forwarding to direct incoming traffic thus:
iptables -A FORWARD -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT
Currently, lan traffic to your web server (using xxx.dyndns.org) must
go out to dyndns.org to fetch the IP of your ppp0 interface -- you
would like to intercept that fetch and have lan traffic headed for
xxx.dyndns.org to be routed directly to 192.168.0.54:80.
Unless I had a number of other reasons to use an internal/forwarding
DNS server, I would consider this approach to be like calling for a
backhoe operator to help me plant a dozen bulbs ;-)
192.168.0.54 is as stable as _you_ make it.
xxx.dyndns.org is as stable as it is -- any changes would have to be
propogated in a number of ways -- but assume it is satisfactory
therefore, we need a way to associate stable xxx.dyndns.org with never
changing 192.168.0.54 _only_ for your lan machines -- /etc/hosts would
be my candidate.
Yes, it's a pain in the arse to edit or overwrite /etc/hosts on each
machine on the lan, but once done, your done -- till xxx.dyndns.org
changes or you decide to change your web server's IP. It will give
you practice doing remote admin via telnet ;-)
Otherwise, you have to write a netfilter rule that says any traffic
from lan headed for the IP of ppp0 (port 80) will be forwarded to
192.168.0.54:80, but to get the IP of ppp0 you have to fetch it
somehow -- script, DNS, or an out-n-back fetch with each (uncached)
request. There should be some posts around here on how to use a
script to get the IP of ppp0 (after it's up of course) then insert the
rule via your iptable script. Or you might try:
http://www.linuxguruz.com/iptables/ for a similar script.
BTW, not knowing your netmask, I'm assuming that your web server is
truly _inside_ your lan -- ie., you're inviting the outside world
_into_ your private net. Would be much safer/secure to get another
nic in your GW and place that web server in a proper DMZ on its own
network if at all possible. It would scare me if this lan is part of a
business operation of any kind. A switch (rather than a hub) won't be
of much help. I would rate this a higher priority than your stated
email above disabled