Saturday, September 2, 2017

linux - Accessing the DNAT'ted webserver from inside the LAN




I have a small network with a router, which maintains a connection to Internet, a server and some workstations in a local network.



Network map



Server is meant to be accessed from the Internet, and there are several DNAT entries set in the router iptables, like this:



-A PREROUTING -i ppp0 -p tcp -m multiport --dports 22,25,80,443 -j DNAT --to-destination 192.168.2.10


External packets come to router via ppp0 interface, and internal ones go from br-lan, which actually includes the switch and WLAN adapter. The problem is, while external access works fine, trying to access the server from inside the LAN by a DNS-resolved external IP (assigned to ppp0) fails.




The only solution I was able to invent is to add static entries to router's /etc/hosts pointing to the internal IP, but as there are no wildcards (and I have at least three top-level domains assigned to that system, not counting tens of subdomains), that's rather crunchy and failure-prone. Can you suggest something better?



I've only found this question, which was not very helpful.



If that's relevant, the router runs OpenWRT 10.03 Kamikaze with dnsmasq.


Answer



I am surprised that after almost 8 years, nobody has explained how to do this the correct way using the UCI configuration system used by default in OpenWRT.



Steven Monday's answer is correct, yet it is using iptables commands directly, which is a lower layer than the UCI configuration system, and is best left untouched by most OpenWRT users if possible.




The correct way to access internal servers through their public IP/port combos from another internal host in UCI is by enabling the configuration option reflection under each specific DNAT target in the file /etc/config/firewall. This behavior is documented here.



For example:



config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'

option src_dport '44322'
option dest_ip '192.168.5.22'
option dest_port '443'
option name 'apache HTTPS server'
option reflection '1'



Note:
According to the indicated OpenWRT documentation, reflection is enabled by default. In my testing, this was not the case.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...