How to loop back internal traffic?

How to loop back internal traffic?

[Jorge Canas]

Hi,

I have a machine configured as my gateway: nat, fw & dhcp server for other 
machines inside my local network.  The gw machine has a public IP (assigned 
via DHCP from ISP) and a public domain name (updated through ddns).

I have one of my other internal machines running a webserver.  The gw just 
does port forwarding of external traffic (destined for port 80) to this 
other internal machine.

How do I configure the firewall rules on the gw so that the port forwarding 
also occurs when my other local network machines try to go to the website 
via the public domain name?

Thanks.

_________________________________________________________________
Invite your Hotmail contacts to join your friends list with Windows Live 
Spaces 
http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us

Re: How to loop back internal traffic?

[Elvir Kuric]

Hi, 
try this
iptables -t nat -A PREROUTING -p tcp --dport 80 -i
ppp0 (or how you call it ) -j DNAT --to-destination
ip_address_of_server_in_internal_network

Regards 
--- Jorge Canas <jcanas2000@hotmail.com> wrote:

> Hi,
> 
> I have a machine configured as my gateway: nat, fw &
> dhcp server for other 
> machines inside my local network.  The gw machine
> has a public IP (assigned 
> via DHCP from ISP) and a public domain name (updated
> through ddns).
> 
> I have one of my other internal machines running a
> webserver.  The gw just 
> does port forwarding of external traffic (destined
> for port 80) to this 
> other internal machine.
> 
> How do I configure the firewall rules on the gw so
> that the port forwarding 
> also occurs when my other local network machines try
> to go to the website 
> via the public domain name?
> 
> Thanks.
> 
>
_________________________________________________________________
> Invite your Hotmail contacts to join your friends
> list with Windows Live 
> Spaces 
>
http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
> 
> 
> 



 
____________________________________________________________________________________
Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos.
http://autos.yahoo.com/new_cars.html 

Re: How to loop back internal traffic?

[Cedric Blancher]

Le samedi 10 février 2007 à 03:45 -0500, Jorge Canas a écrit :
> How do I configure the firewall rules on the gw so that the port forwarding 
> also occurs when my other local network machines try to go to the website 
> via the public domain name?

You have to extend your SNAT rule so thoses machines egts NATed when
trying to reach this webserver using its public IP, otherwise, you'll
get a triangle situation where your webserver sends its SYN/ACK directly
through the LAN with its private IP.

Something like:

	iptables -t nat -A POSTROUTING -s $LAN -d $WebServPrivIP \
		-j SNAT --to-source $GWPrivIP


BTW, it's a FAQ, but I agree it might be difficult to find relevant
answers in the wild.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: How to loop back internal traffic?

[Jorge Canas]

>From: Cedric Blancher <blancher@cartel-securite.fr>
>To: Jorge Canas <jcanas2000@hotmail.com>
>
>Le samedi 10 février 2007 à 03:45 -0500, Jorge Canas a écrit :
> > How do I configure the firewall rules on the gw so that the port 
>forwarding
> > also occurs when my other local network machines try to go to the 
>website
> > via the public domain name?
>
>You have to extend your SNAT rule so thoses machines egts NATed when
>trying to reach this webserver using its public IP, otherwise, you'll
>get a triangle situation where your webserver sends its SYN/ACK directly
>through the LAN with its private IP.
>
>Something like:
>
>	iptables -t nat -A POSTROUTING -s $LAN -d $WebServPrivIP \
>		-j SNAT --to-source $GWPrivIP
>
>
>BTW, it's a FAQ, but I agree it might be difficult to find relevant
>answers in the wild.

Thanks for the reply Cedric.  I tried the rule but it did not work.  I got a 
connection refused message. This is the rule I added:

iptables -A POSTROUTING -s 192.168.123.0/24  -d 192.168.123.164 -j SNAT 
--to-source 192.168.123.161 -t nat

My internal webserver is running at 192.168.123.164
The internal interface of the GW is 192.168.123.161

_________________________________________________________________
Don’t miss your chance to WIN 10 hours of private jet travel from Microsoft 
Office Live http://clk.atdmt.com/MRT/go/mcrssaub0540002499mrt/direct/01/

Re: How to loop back internal traffic?

[Jorge Canas]

>From: "James Shewey"
>
>try:
>
>iptables -A POSTROUTING -s 192.168.123.0/24  -d
>www.externaldomainname.com -j DNAT
>--to-source 192.168.123.161 -t nat
>
>
>This will automagically fill in the destination IP for you and
>redirect any traffic sent to the external IP. This works on my home
>rig with FTP. Just make sure DNS is working!
>

Thanks James, that ended up resolving the address (via DNS) right before the 
rule was inserted, which to me seems sensible and the right thing to do.  
So, it does work, but when the addr changes (dhcp), the rule becomes 
obsolete.

A previous response triggered me to pay a closer look to the FAQs and 
according to the "Destination NAT onto the same network" section of the NAT 
Howto/FAQ, the following two rules should work:


    # iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT 
--to 192.168.1.1
    # iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 -p tcp 
--dport 80 -j SNAT --to 192.168.1.250

However, this stuff assumes that the public address of the server is static 
(1.2.3.4 in the above rules) and I am trying to make this work when the 
public address is dhcp'ed.

Is there a way to make this work with dynamic IP addresses?  Assume dynDNS 
is at work here...

Thanks.

_________________________________________________________________
Check out all that glitters with the MSN Entertainment Guide to the Academy 
Awards®   http://movies.msn.com/movies/oscars2007/?icid=ncoscartagline2