thanks for the info, I've often seen that wan ip address octet you
mentioned in my logs, so now I know!
eventually I want to put apache on an old box with openBSD on it, I
might use that as a firewal/router also.
On Tue, 2002-05-28 at 19:41, Ter wrote:
Router may also be an issue. When I searched for a cheap router for my RR
account, I went with "Addtron" brand (4 internal ports with some VPN and
virtual server stuff, etc. for $89). Poke around www.pricewatch.com Not all
of the of the "cheap" routers will support "virtual" servers, DMZ, etc.
Check your manual/manufactures website. If you want to "Geek" with a more
serious router, check out some of these sites:
http://www.routerdesign.com/index.shtml, or http://www.coyotelinux.com/
Have a friend "scan" your IP for open ports. RR actually does give out
"DNS" names, in a strange sort of way, using your IP address. Try this...
"AABBCChfcDD.tampabay.rr.com" in a browser, where "AA", "BB", "CC" and "DD"
are the different "octets" of your WAN IP address.. so if your ip address
was 65.35.202.34 have a friend put in "6535202hfc34.tampabay.rr.com" If
your router and server are configured correctly, your friend should be able
to reach your default web page of your WWW server. Keep in mind that RR has
2 hour leases for their DHCP server... only uninterupted connectivity of
your cable and router will keep a "static" IP. Best I have ever done for
"static" ip on RR is about 4 months, but check out www.no-ip.com There are
many solutions like this.
Pete
http://www.6535252hfc12.tampabay.rr.com/
----- Original Message -----
From: "Ken Billings" <lists@coffeehouseltd.com>
To: <slug@nks.net>
Sent: Tuesday, May 28, 2002 9:16 AM
Subject: [SLUG] Re: port 80 question--it works!
> Seth Hollen writes:
>
> > Thanks People, I had it working fine on internal stuff (ie when I typed
> > 127.0.0.1 I got the apache test page)
> > So I called a friend and had him type in my ip address into his browser
> > and he saw it, so it works, Iguess there must be a problem with the
> > request going out through my router then back in. I wonder if a router
> > upgrade would help?
> >
> > Seth
>
> The problem you're having comes from DNATing back into your LAN from a
> machine on that LAN. This is how it goes: Your client box sends the
> connect packet to the external IP, which it knows has to go through the
> router (Source Internal box A 'INT-A', Destination External 'EXT'). Since
> the router has a rule that says, "Anything to EXT on port 80, change it so
> the destination is INT-WEB", it rewrites the packet to look like: Source
> INT-A, Destination INT-WEB, and sends it on. When the packet gets to the
> webserver on INT-WEB, it tries to respond by sending a response packet to
> the original source IP (INT-A). So, this response packet looks like -
> Source INT-WEB, Destination INT-A. Since this packet's destination is on
> the internal lan, it's like any other LAN traffic, and doesn't go through
> the router. When the web client box (INT-A) gets this "response", it
looks
> at it like so: "Hmm, response packet from a webserver (port 80) at
INT-WEB.
> You know, I'm waiting on a response from a web server, but I'm expecting
it
> to come from EXT, not INT-WEB. This must be junk, I'll just throw it
away."
> ... And your web client software sits and waits for a reponse that never
> comes. To fix the problem, you have to Source NAT the original connection
> packet so it comes back to the router first. In most implementations,
> destination NAT is done first, so you have to write the SNAT rule with
that
> in mind. Add a rule that says, "If a packet comes in from my internal lan
> with a destination of INT-WEB port 80 (it was already rewritten by the
DNAT
> rule), change the source IP to be EXT (the router). This way when the
> webserver sees the initial connection packet, it will respond to the
> router's EXT IP, which will automatically rewrite the reponse packet's
> destination to be INT-A (that's the way NAT works).
> Make sense? I hope so... It's early and I'm still waking up from the
long
> weekend. ;) Any questions/clarifications just ask.
>
>
> To summarize:
> To use NAT with an internal webserver, you need 2 rules. One you already
> have:
> Match: Source: Any:Any, Destination: EXT:80 - DNAT Destination IP to
INTWEB
>
> ...And one you need:
> Match: Source: INT-LAN:Any, Destination: INTWEB:80 - SNAT from EXT
>
> I don't know how you specify rules on your router, but for Linux IPTables,
> they might look like this:
>
> # iptables -t nat -A PREROUTING -d $EXT -p tcp --dport 80 -j DNAT --to
> $INT_WEB
> # iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d $INT_WEB -p tcp
> --dport 80 -j SNAT --to $EXT
>
> For the record, this is just one way to do it. You can also set up an
> internal DNS server that will spit out the INT-WEB address for
> www.yoursite.com. If you aren't already running DNS with an internal only
> view, it's much easier to solve this with the extra router NAT command.
>
> -Ken
>
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:33:13 EDT