Find the answer to your Linux question:
Results 1 to 8 of 8
Hello, please can you help and explain me. I have two servers. Both are RHEL6. I use the first one like router and the second one for apache. Router forwards ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2013
    Posts
    4

    NAT Loopback and iptables


    Hello, please can you help and explain me.
    I have two servers. Both are RHEL6.
    I use the first one like router and the second one for apache.
    Router forwards 80 port on the second server and I can open that from the internet (mysite.com, for example). But I can not open mysite.com if i try to open that from the local network (Clients).
    As I know i have to add NAT Loopback rules in iptables but I even have no ideas which one rules.
    Please, help me ...
    If it is important, i use MASQUERADE, bc my external IP is dynamic.

    Now my iptables looks like that:
    Code:
    [root (at) hprouter ~]# service iptables status
    Table: filter
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination         
    1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
    3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53 
    6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 
    7    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain FORWARD (policy ACCEPT)
    num  target     prot opt source               destination         
    1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
    3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    5    ACCEPT     tcp  --  0.0.0.0/0            10.0.1.15           state NEW tcp dpt:80 
    6    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination         
    
    Table: nat
    Chain PREROUTING (policy ACCEPT)
    num  target     prot opt source               destination         
    1    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:10.0.1.15:80 
    
    Chain POSTROUTING (policy ACCEPT)
    num  target     prot opt source               destination         
    1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination
    Attached Images Attached Images

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Post the follwoing files for me;

    /etc/resolv.conf
    /etc/sysconfig/iptables

    Also what are your clients using for DNS servers? Local or remote?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Apr 2013
    Posts
    4
    Quote Originally Posted by Lazydog View Post
    Post the follwoing files for me;

    /etc/resolv.conf
    /etc/sysconfig/iptables

    Also what are your clients using for DNS servers? Local or remote?
    Thank you.

    I use local with forwarders (DynDNS)

    Code:
    ; generated by /sbin/dhclient-script
    nameserver 71.252.0.12
    nameserver 71.242.0.12
    Code:
    # Firewall configuration written by system-config-firewall
    # Manual customization of this file is not recommended.
    *nat
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.15:80
    COMMIT
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
    -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
    -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A FORWARD -p icmp -j ACCEPT
    -A FORWARD -i lo -j ACCEPT
    -A FORWARD -o eth+ -j ACCEPT
    -A FORWARD -i eth0 -m state --state NEW -m tcp -p tcp -d 10.0.1.15 --dport 80 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Your local host do not know how to get to the server. Looking at your firewall rules you are DNATing connections from the internet only which is correct as doing anything else would stop your web traffic from leaving your network. There are a couple of things you can do to fix this.

    1. run a DNS server on your local network and point all clients to that. Then setup your zone file and use your private addresses for your server and then forward all other request out to an external DNS server for everything else.

    2. Setup the hosts files on your client to include your local servers ip address so that when they try to get to the server they read the address form the hosts file and do not try to resolve it via DNS.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Apr 2013
    Posts
    4
    Thank you.

    Yeah, it is true.

    1. I dont want to use local DNS for that because what if i want to use a lot of domain names.
    2. It is really impossibly.

    I would to find general solution.

    I think regular home routers dont use DNS for that.

    I found something here, but i really have no idea what to do. Maybe you know. (i can nor put links yet.)
    for-invent.com/nat-loopback-using-iptables

    Thanks for answering.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Yes, you can use the preroute rule in IPTABLEs to do this also.

    Code:
    iptables -t nat -A PREROUTING  -i <local interface> -s <internal ip range> -d <external ip of server> -p tcp --dport 80 -j DNAT --to-destination <internal ip of server>
    It has been so long since I used this it totally slipped my mind.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Apr 2013
    Posts
    4
    Quote Originally Posted by Lazydog View Post
    Yes, you can use the preroute rule in IPTABLEs to do this also.

    Code:
    iptables -t nat -A PREROUTING  -i <local interface> -s <internal ip range> -d <external ip of server> -p tcp --dport 80 -j DNAT --to-destination <internal ip of server>
    It has been so long since I used this it totally slipped my mind.
    Thank you very much.
    One more question.
    <local interface> - that is it?
    <internal ip range> - 10.0.1.0/24 ?
    <external ip of server> - is it IP of the router on the internet? That is the biggest problem. My IP is dynamic.
    <internal ip of server> - IP of the server with Apache?

  8. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Quote Originally Posted by i982098328 View Post
    Thank you very much.
    One more question.
    <local interface> - that is it?
    That is the interface that is connected to your local network

    <internal ip range> - 10.0.1.0/24 ?
    If this is the ip adrres range you are using then yes.

    <external ip of server> - is it IP of the router on the internet? That is the biggest problem. My IP is dynamic.
    This could be a problem and usually why most with dynamic addressing use hosts files as the internal network doesn't change often.

    <internal ip of server> - IP of the server with Apache?
    This is the 10.x.x.x address of the web server.


    Since you have dynamic internet address I would point you towards using hosts files, since you do not want to run your own DSN server, as then you set them once and forget them until the internal network changes.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •