Okay, this HAS to be a fairly simple fix..

I've got the router all working dandy. Iptables is awesome...

Now, how do I get to mydomain.com, which is hosted on a box BEHIND the router, and port-forwarded to that box, from inside the network?

I think the idea is:

iptables: if destination = mydomain.com
{
start feeding everything through the router as if it were coming from the outside, so that it gets directed to the correct port/forward/server.
}

(Seemed like a clear enough way to describe it. :D)

I'm having all sorts of problems that I think are coming from the router..
Like trying to connect to a services (cvs F.ex) on a fellow internal box, doesn't work. It seems to be trying to use my external IP, rather then the correct private-block internal IP...

I'm confused here guys... :)
I'll post /etc/rc.firewall if you REALLY need a good laugh, or think it might help.. ;)

<bump/>
I KNOW I'm not the only person with this problem.. :D

SOMEONE has to have a clue? :)
This is not an uncommon problem. It can't be!

Should I explain it better/clearer/again?

is your domain box using public ips or private? post the script..

the web server is using a private IP that's port forwarded from the router.

IDEALLY, what would happen would be IPTABLES would take anything on the output chain with the destination of "my domain/IP", and send it through the input rules to tell it where to go.

But, it's probably not that easy...

Do you still want the script? I don't know how much it'll help..

Try:

iptables -t nat -A POSTROUTING -d (serverpublicip) -p tcp --dport 80 -s (privatelan) -j SNAT --to (routerprivateip)

or

/sbin/iptables -t nat -A PREROUTING -i (INTIF) -d (serverpublicip) -p tcp --dport 80 -s (privatelan) -j DNAT --to (webprivip)


This is like doing redirction for squid that is on a differnt machine, but only for private machines that go to your webserver.

see: http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc.html#toc6

You may need other rules, I can't tell without seeing the script.

The 'other rules' would be just for other services. So if Port80 goes to internal box at 192.168.0.100 but port21 goes to 192.168.0.101, I'd have to create seperate rules..
I could live with that....

I'll go see if it works right now, Thanks!

Crap.. Didn't work...

I'm thinking it's going to be easier just to set up BIND on the router box, and have it handled that way.. Although I don't know how hard BIND is to set up and run.. LoL..
Another new adventure..

If you're interested, this is my rc.firewall.. Not anything all that impressive.. But it seems to work...

#!/bin/bash

echo "1" > /proc/sys/net/ipv4/ip_forward

modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

#Delete and flush.
iptables --flush
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F

#Set Defaults
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -A INPUT -p icmp -j ACCEPT

#Set up Masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#Internal LAN (eth1) rules
#iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -i eth1 -p tcp --dport 67:68 -j ACCEPT
#iptables -A INPUT -i eth1 -p udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT

#######################
#External (eth0) rules#
#######################

#Allow connections to this machine.
#iptables -A INPUT -d $NET -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -d $NET -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -d $NET -p tcp --dport 8088 -j ACCEPT


#################################################
#Forwards from external (eth0) to internal (eth1)

#Forwards to Anvil (102)
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 2401 -j DNAT --to 192.168.0.102:2401
iptables -A PREROUTING -t nat -p udp -i eth0 --dport 2401 -j DNAT --to 192.168.0.102:2401
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 8080 -j DNAT --to 192.168.0.102:8080
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.0.102:80
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 22 -j DNAT --to 192.168.0.102:22
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to 192.168.0.102:21
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 20 -j DNAT --to 192.168.0.102:20

#Forwards to Thunderbird (101)

#Forwards to Thor (100)
#iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to 192.168.0.100:21
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 8086 -j DNAT --to 192.168.0.100:80
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 5910 -j DNAT --to 192.168.0.100:5910
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 5810 -j DNAT --to 192.168.0.100:5810

#Forwards to Cerebrus (1)
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 2222 -j DNAT --to 192.168.0.1:22
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 23 -j DNAT --to 192.168.0.1:23

#################################################

#Make my domain work from inside the LAN
iptables -t nat -A POSTROUTING -d 192.168.0.102 -s 192.168.0.0/24 -p tcp --dport 80 -j SNAT --to 192.168.0.1
#iptables -t nat -A PREROUTING -i eth1 -d 209.20.211.36 -p tcp --dport 80 -s 192.168.0.0/24 -j DNAT --to 192.168.0.102

Since the rules a parsed from the first to the last, try placing the rule ahead of the other postrouting rules. Or use -I (insert) instead of -A, this will place the rule at the beginning the rules. "-d 192.168.0.102" try replacing it with the public ip on the external interface. Let me know, I'll be up for a bit yet....

Good thought.. But no, that didn't help either.. But I still get "Could not connect to remote server"

Thanks for the ideas!

**scratch head** (need coffee)

Not to sure right now, I'll get back to you..

From: http://msgs.securepoint.com/netfilter/
I searched on
"internal webserver from internal lan"
I came accoss this:

When a machine on your internal net (say 10.0.0.4) wants to connect to
1.2.3.4:80, it will go through your gateway, and the gateway will redirect
it to 10.0.0.3. However, the source address in the packet that went to
10.0.0.3 says 10.0.0.4. So when the server replies, it goes directly to
10.0.0.4. 10.0.0.4 will not accept the packet since it isn't from the
expected ip address (expecting 1.2.3.4:80). What you need to do then is use
PREROUTING to change the source address of 10.0.0.4 to an exteral address on
your interface (namely 1.2.3.4), then when 10.0.0.3 replies, it goes to
1.2.3.4, goes to the gateway, conntrack figures it out and sends it back to
10.0.0.4 with source address 1.2.3.4. Make sense?


so lets try:

iptables -t nat -A PREROUTING -i eth1 -d 209.20.211.36 -p tcp --dport 80 -s 192.168.0.0/24 -j SNAT --to 209.20.211.36

or maybe:

iptables -t nat -A POSTROUTING -i eth1 -d 192.168.0.102 -s 192.168.0.0/24 -p tcp --dport 80 -j SNAT --to 209.20.211.36

Maybe this rule:
iptables -t nat -A POSTROUTING -d (serverpublicip) -p tcp --dport 80 -s (privatelan) -j SNAT --to (routerprivateip)

is just missing the -i eth1

Maybe the BIND setup is easier?
Anyone have any input?

[ 09 September 2001: Message edited by: jumpedintothefire ]

Can't use -i with "POSTROUTING".. At least that what IPTables says.. :)

Neither of the other ones worked either.. Along with various mutations I tried...

I've searched too.. I get all the theoretical stuff.. Everyone says it SHOULD work this way... But nobody actually seems to have it working and give a good working bit of code.. O_o

I would think this was one of the most common and easily fixed problems around! I mean EVERYONE who uses this physical network setup has this problem...
Then again, maybe they have their own DNS servers too.. :D

Think I may have it. Place these rules before the masq rule. Let me know.

iptables -t nat -A POSTROUTING -t nat -s 192.168.0.102 -o eth0 -j SNAT --to 209.20.211.36
iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.102 --dport 80 -s 192.168.0.0/24 -j SNAT --to 209.20.211.36

If it works I'll try to explain it.. masq and nat are NOT the same thing!

[ 09 September 2001: Message edited by: jumpedintothefire ]

What that *SHOULD* do is take anything sent from the web browser, going to an internal IP addy, and change the source IP to my external IP address...
I take it the double "-t nat" wasn't intended ? I tried it with, and without, and it didn't matter..

And the second one should take anything going TO the server, from a LAN private IP, and make it appear to the server box, as if the request was coming from my external IP...

I think it makes sense at least.. 'cause unfortunatly it doesn't work.
And I inserted those lines directly above this line:

#Set up Masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


Let me make sure I understand the problem..
The packet leaves my computer just fine, and goes to the server and goes to the web server box.. But the web server box doesn't know what the heck to do with it because the return address isn't right..

Okay.. let's think.. How does the request even get to my web server box. Which line of my rc.firewall has anything to do with making sure internal requests go to the right place... Could it be that the "-i eth0" on my port forwarding chains is causing the requests from the internal boxes to not even GET to the web server?

I'm trying to think through the flow of how packets are moving through the system.. hmm..

What that *SHOULD* do is take anything sent from the web browser, going to an internal IP addy, and change the source IP to my external IP address...
I take it the double "-t nat" wasn't intended ? I tried it with, and without, and it didn't matter..

And the second one should take anything going TO the server, from a LAN private IP, and make it appear to the server box, as if the request was coming from my external IP...

I think it makes sense at least.. 'cause unfortunatly it doesn't work.
And I inserted those lines directly above this line:

#Set up Masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


Let me make sure I understand the problem..
The packet leaves my computer just fine, and goes to the server and goes to the web server box.. But the web server box doesn't know what the heck to do with it because the return address isn't right..

Okay.. let's think.. How does the request even get to my web server box. Which line of my rc.firewall has anything to do with making sure internal requests go to the right place... Could it be that the "-i eth0" on my port forwarding chains is causing the requests from the internal boxes to not even GET to the web server?

I'm trying to think through the flow of how packets are moving through the system.. hmm..

Well here is the post that I found:
------quote-------
Re: NAT in OUTPUT CHAIN
Forum: SecurePoint.COM - Netfilter mailing list archive
Date: Jul 10, 09:09
From: Henrik Nordstrom <hno@marasystems.com>

NAT for locally originated connections is broken at the moment (not
implemented).

Have a patch to implement the missing pieces. See netfilter-devel archives
(also available on request).

--
Henrik Nordstrom
MARA Systems

Edilson Carlos Belluomini wrote:

> Hello everybody
>
> I tried to use NAT in OUTPUT chains, but it don`t works.
>
> I used the following commands:
>
> #re-route external traffic from internet webserver IP address to internal
> address
> iptables -t nat -A PREROUTING -p tcp -d $webip --dport 80 -j DNAT --to
> 192.168.0.1:80
> #packets from internal web server is SNATed to it's internet IP.
> iptables -t nat -A POSTROUTING -t nat -s 192.168.0.1 -o $extint -j SNAT --to
> $webip
> #re-route internal traffic to internal web-server as come com external linux
> ip address
> iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.1 --dport 80 -s
> 192.168.0.0/24 -j SNAT --to $extip
> #re-route linux box traffic
> iptables -t nat -A OUTPUT -p tcp -d $webip --dport 80 -j DNAT --to
> 192.168.0.1:80
>
> where $webip is the internet address of my web server, and 192.168.0.1 is my
> real address of my web server.
>
> Everything except the OUTPUT chains works fine.
>
> There is anybody that can help me ???
>
> Thank You
>
> Edilson Carlos Belluomini
> edilson@hrcnet.com.br
-------quote--------
He claims that it works except for requests from the firewall to the webserver.


What that *SHOULD* do is take anything sent from the web browser, going to an internal IP addy, and change the source IP to my external
IP address...
Well not quite, anything from the webserver leaving on eth0 change to your public ip.

Looking over the above script, you may be right about the -i eth0 in the prerouting...
maybe add a line for eth1 or remove them all together.

have you tried to capture the sessions with tcpdump?

removing the -i on my forwarding chains worked just dandy, but I had the small problem of forwarding ALL port 80 traffic.. So I couldn't get to external web sites.. LoL.. That was fun..

I'm still working on understanding that last message..

I'm gonna keep playing around with this.. I know it's gotta be doable.. :D