Seth Hollen writes:
> Thanks People, I had it working fine on internal stuff (ie when I typed
> 127.0.0.1 I got the apache test page)
> So I called a friend and had him type in my ip address into his browser
> and he saw it, so it works, Iguess there must be a problem with the
> request going out through my router then back in. I wonder if a router
> upgrade would help?
>
> Seth
The problem you're having comes from DNATing back into your LAN from a
machine on that LAN. This is how it goes: Your client box sends the
connect packet to the external IP, which it knows has to go through the
router (Source Internal box A 'INT-A', Destination External 'EXT'). Since
the router has a rule that says, "Anything to EXT on port 80, change it so
the destination is INT-WEB", it rewrites the packet to look like: Source
INT-A, Destination INT-WEB, and sends it on. When the packet gets to the
webserver on INT-WEB, it tries to respond by sending a response packet to
the original source IP (INT-A). So, this response packet looks like -
Source INT-WEB, Destination INT-A. Since this packet's destination is on
the internal lan, it's like any other LAN traffic, and doesn't go through
the router. When the web client box (INT-A) gets this "response", it looks
at it like so: "Hmm, response packet from a webserver (port 80) at INT-WEB.
You know, I'm waiting on a response from a web server, but I'm expecting it
to come from EXT, not INT-WEB. This must be junk, I'll just throw it away."
... And your web client software sits and waits for a reponse that never
comes. To fix the problem, you have to Source NAT the original connection
packet so it comes back to the router first. In most implementations,
destination NAT is done first, so you have to write the SNAT rule with that
in mind. Add a rule that says, "If a packet comes in from my internal lan
with a destination of INT-WEB port 80 (it was already rewritten by the DNAT
rule), change the source IP to be EXT (the router). This way when the
webserver sees the initial connection packet, it will respond to the
router's EXT IP, which will automatically rewrite the reponse packet's
destination to be INT-A (that's the way NAT works).
Make sense? I hope so... It's early and I'm still waking up from the long
weekend. ;) Any questions/clarifications just ask.
To summarize:
To use NAT with an internal webserver, you need 2 rules. One you already
have:
Match: Source: Any:Any, Destination: EXT:80 - DNAT Destination IP to INTWEB
...And one you need:
Match: Source: INT-LAN:Any, Destination: INTWEB:80 - SNAT from EXT
I don't know how you specify rules on your router, but for Linux IPTables,
they might look like this:
# iptables -t nat -A PREROUTING -d $EXT -p tcp --dport 80 -j DNAT --to
$INT_WEB
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d $INT_WEB -p tcp
--dport 80 -j SNAT --to $EXT
For the record, this is just one way to do it. You can also set up an
internal DNS server that will spit out the INT-WEB address for
www.yoursite.com. If you aren't already running DNS with an internal only
view, it's much easier to solve this with the extra router NAT command.
-Ken
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:31:26 EDT