Loopback with iptables port-forward and access from LAN side

[sbn]

At my WL500gx with the most recent OpenWRT firmware, i've been setting up port forwarding for my HTTP, SMTP, IMAP etc. If I call my webserver's domain from the WAN side, i.e. another box on the internet, I get access to the webserver. But if I try to access the domain directly from the WAN side, I get a reply from the router's built in webserver - I would like the router to send forward the request to the LAN IP that the port has been mapped to, even if I call my WAN IP when I'm on the LAN side, so I can use my server independent of whether I'm on the WAN or LAN side. I assume that's what you call loopback - but i might be wrong? My old piece of shit from TrendNet did this thing by itself, and so did my WL500gx with the stock firmware.

iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.1.2
iptables -A forwarding_rule -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT


Any idea of what to change, to get the behaviour described above?

--
MVH: Esben von Buchwald
http://www.sbn.as

[Jean-Fabrice]

Here is my configuration that allows access to an http server located on my LAN from both LAN & WAN using it's Internet DNS name or WAN IP.


# HTTP from Internet to Intranet host
iptables -A PREROUTING -t nat \
-p tcp \
-i $wan_if \
--dport 80 \
-j DNAT --to-destination 192.168.0.252:8080

iptables -A FORWARD \
-p tcp \
-i $wan_if --sport 1024: \
-o $lan_if -d 192.168.0.252 --dport 8080 \
-m state --state NEW \
-j ACCEPT


# HTTP from intranet to intranet host (using double NAT)
iptables -A PREROUTING -t nat \
-p tcp \
-i $lan_if -s $intranet \
-d $wan_ip --dport 80 \
-j DNAT --to-destination 192.168.0.252:8080

iptables -A POSTROUTING -t nat \
-p tcp \
-s $intranet \
-o $lan_if -d 192.168.0.252 --dport 8080 \
-j SNAT --to $wan_ip

Hope it is usefull to you.

JF

[jaaput]

OK, so if I understand you correct, you want to

1. Use the same name to reach your webserver from LAN and WAN
2. Redirect a http-request from WAN to some other webserver, not your Asus

In the examples I see 1 IP-address, is it from the Asus?
And which one is the webserver you would like to connect to?
And is the Asus also the device you call router?

Since your wishes will probably require careful (pre/post)routing,
(as you are aware of, considering the examples) it is desirable to
have detailed information.

As for the first wish, I have realized that in my LAN by defining an IP-alias
in the machine that I want to end-up in.
Because normally what happens when an IP-packet has your Internet-IP
as the destination-address is that it wll be routed to the (default?) gateway,
that gateway will very probably be connected to the internet, and will send
the packet to its interface which is connected to the link (ADSL? Cable?)
with your provider. And (again probably) there is no server-process
listening on that interface. Now for packets arriving from the outside
(internet) at that interface there will be specified some forwarding and NAT,
and it will be send to an internal interface which is listened to.
But for packets coming from the inside this NAT/forwarding will not be
performed, and your connection will timeout.
So, try to assign an IP-alias to your internal interface to which a webserver
is listening, and make sure that your packets will be routed to that interface.
Now suppose your Asus is both the default-gateway and the desired
web-server, then things are simple.
Packets from the LAN-clients will be send through the Asus, since the
external IP-address will require routing through the default gateway.
And as they arrive on the Asus, the routing mechanism will know which
addresses are served locally, and will send the packet there.
A simple method of assigning an alias on the fly is:

Code:

ifconfig eth1:0 10.10.0.48

and remove it by

Code:

ifconfig eth1:0 0

(I think it is unbeatable in efficiency, but it sure does not look
half as cool as the solution of Jean-Fabrice and it is also
not as flexible with respect to the machines being server and gateway)
Check your results with ifconfig and also check the output of route,
it will give you better insight in what will happen.

And please give some more detailed information on how you want the
http-request-packets to travel from the internet into your LAN.
Maybe you can post the results of the route-command on all involved
hosts too.

Regards, Jaap.

[sbn]

# HTTP from Internet to Intranet host
iptables -A PREROUTING -t nat \
-p tcp \
-i $wan_if \
--dport 80 \
-j DNAT --to-destination 192.168.0.252:8080

iptables -A FORWARD \
-p tcp \
-i $wan_if --sport 1024: \
-o $lan_if -d 192.168.0.252 --dport 8080 \
-m state --state NEW \
-j ACCEPT

# HTTP from intranet to intranet host (using double NAT)
iptables -A PREROUTING -t nat \
-p tcp \
-i $lan_if -s $intranet \
-d $wan_ip --dport 80 \
-j DNAT --to-destination 192.168.0.252:8080

iptables -A POSTROUTING -t nat \
-p tcp \
-s $intranet \
-o $lan_if -d 192.168.0.252 --dport 8080 \
-j SNAT --to $wan_ip

I just have to be sure, how to you assign the variables you use?
$wan_if, $lan_if, $wan_ip, $intranet

right now my script (/etc/firewall.user) has this in the top, i guess i can read the others the same way?
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

[Jean-Fabrice]

What I wrote is a part of my /usr/local/sbin/post-firewall

Variables are assigned this way, at the beginning of the script :

Code:

wan_if=$1
wan_ip=$2
lan_if=$3
lan_ip=$4
intranet=192.168.0.0/24

See also : http://wl500g.info/showthread.php?t=...=post-firewall

JF

[sbn]

This works for me:

Code:

wan_if=$(nvram get wan_ifname)
lan_if=$(nvram get lan_ifname)
wan_ip="83.89.24.37"
intranet="192.168.1.1/24"


# HTTP from Internet to Intranet host
iptables -A PREROUTING -t nat -p tcp -i $wan_if --dport 80 -j DNAT --to-destination 192.168.1.2:80
iptables -A FORWARD -p tcp -i $wan_if --sport 1024: -o $lan_if -d 192.168.1.2 --dport 80 -m state --state NEW -j ACCEPT


# HTTP from intranet to intranet host (using double NAT)
iptables -A PREROUTING -t nat -p tcp -i $lan_if -s $intranet -d $wan_ip --dport 80 -j DNAT --to-destination 192.168.1.2:80
iptables -A POSTROUTING -t nat -p tcp -s $intranet -o $lan_if -d 192.168.1.2 --dport 80 -j SNAT --to $wan_ip

Thanks