contacting webserver from local network

Hi,

I'm a bit messing around with iptables, and it going very well. My
firewallsctipt already has 700 rules. There's only 1 thing that isn't
working right. On the same pc where the firewall is working, is apache
listening on port 80. The problem is that i can't access my webserver on my
external ip adress from my local network. The apache configuration is fine,
my friends can access it and connecting the webserver from behind an
external proxyserver is also working well. Are there any rules to make my
script complete, so i can acces the webserver from the lan on my external
ip?

byebye,

michael

"Chandler Bing" <mich@rotmail.nl> wrote in message
news:4040c189$0$42497$abc4f4c3@news.wanadoo.nl...
> Hi,
>
> I'm a bit messing around with iptables, and it going very well. My
> firewallsctipt already has 700 rules. There's only 1 thing that isn't
> working right. On the same pc where the firewall is working, is apache
> listening on port 80. The problem is that i can't access my webserver on
my
> external ip adress from my local network. The apache configuration is
fine,
> my friends can access it and connecting the webserver from behind an
> external proxyserver is also working well. Are there any rules to make my
> script complete, so i can acces the webserver from the lan on my external
> ip?

Hi there,

I would /think/ (haven't ever tested it) that something like
this should work:

iptables -t nat -A PREROUTING -s 10.0.0.0/24 -d 1.2.3.4/32 -p tcp
--dport 80 -j DNAT --to 1.2.3.4:80

iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 10.0.0.0/24
-d 1.2.3.4 --dport 80 -j MASQUERADE

Where 10.0.0.0/24 is your local LAN and Subnet and
1.2.3.4 is your external IP address.

HTH, Cheers,

Dave.

"David Cutting" <dcutting@spambuster.purplepixie.org> schreef in bericht
news:c1qsk9$scs$1$8302bc10@news.demon.co.uk...
> "Chandler Bing" <mich@rotmail.nl> wrote in message
> news:4040c189$0$42497$abc4f4c3@news.wanadoo.nl...
> > Hi,
> >
> > I'm a bit messing around with iptables, and it going very well. My
> > firewallsctipt already has 700 rules. There's only 1 thing that isn't
> > working right. On the same pc where the firewall is working, is apache
> > listening on port 80. The problem is that i can't access my webserver on
> my
> > external ip adress from my local network. The apache configuration is
> fine,
> > my friends can access it and connecting the webserver from behind an
> > external proxyserver is also working well. Are there any rules to make
my
> > script complete, so i can acces the webserver from the lan on my
external
> > ip?
>
> Hi there,
>
> I would /think/ (haven't ever tested it) that something like
> this should work:
>
> iptables -t nat -A PREROUTING -s 10.0.0.0/24 -d 1.2.3.4/32 -p tcp
> --dport 80 -j DNAT --to 1.2.3.4:80
>
> iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 10.0.0.0/24
> -d 1.2.3.4 --dport 80 -j MASQUERADE
>
> Where 10.0.0.0/24 is your local LAN and Subnet and
> 1.2.3.4 is your external IP address.
>
> HTH, Cheers,
>
> Dave.
>

hi,

i've tried your rules in my firewall, but i still can't acces my webserver
from inside. Are you sure these rules are right? Thanks anyway for the
reply...

byebye, michael

"Chandler Bing" <mich@rotmail.nl> wrote in message
news:4041cea1$0$49818$1b2cd167@news.wanadoo.nl...
>
> "David Cutting" <dcutting@spambuster.purplepixie.org> schreef in bericht
[snip]
> > I would /think/ (haven't ever tested it) that something like
> > this should work:
> >
> > iptables -t nat -A PREROUTING -s 10.0.0.0/24 -d 1.2.3.4/32 -p tcp
> > --dport 80 -j DNAT --to 1.2.3.4:80
> >
> > iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 10.0.0.0/24
> > -d 1.2.3.4 --dport 80 -j MASQUERADE
> >
> > Where 10.0.0.0/24 is your local LAN and Subnet and
> > 1.2.3.4 is your external IP address.
>
> hi,
>
> i've tried your rules in my firewall, but i still can't acces my webserver
> from inside. Are you sure these rules are right? Thanks anyway for the
> reply...

Hi there,

No, to be honest I'm not sure those rules would work, I just
modified a very similar couple I have that maps internal traffic
back to another server (not the same machine) and without
setting up a specific host 'service' have no way of easily
testing them ;o(

I'll try to get a chance to have a play and see if I can get a
couple working, I'll let you know if I do.

In the meantime - having /another/ guess, you could change
the 1.2.3.4 'real' address to 10.0.0.1 (the router's
local address). This would then basically be the same as
the lines I have but mapping to a different server.

(Obviously the only one that wouldn't change would be
the first line's -d option which defines what the client
initially asks for). eg:

iptables -t nat -A PREROUTING -s 10.0.0.0/24 -d 1.2.3.4/32 -p tcp
--dport 80 -j DNAT --to 10.0.0.1:80

iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 10.0.0.0/24
-d 10.0.0.1 --dport 80 -j MASQUERADE


Cheers,

Dave.