[SOLVED] Accesing local servers using the domain name.

Home Page Forums Network Management ZeroShell [SOLVED] Accesing local servers using the domain name.

This topic contains 10 replies, has 0 voices, and was last updated by  rsansores 9 years ago.

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • #42409

    rsansores
    Member

    Hi, I had tried a lot of solutions but anything apper to work, here is the problem.

    I have a Zeroshell configuration where ETH0 is connected to my ISP in DMZ mode.
    ETH1 interface is plugged to the office network switch. As simple as that.

    ETH0 ip 10.x.x.x
    ETH1 ip 192.168.1.x

    Multi porpouse server ip 192.168.1.1 (Mail, WEB, SSH, ETC)

    NAT is active in ETH0 and I have created the port forwarding rules to redirect almost every port request incoming from ETH0 to 192.168.1.1.

    Ex.

    ETH0/ANY 80 ANY/ANY 192.168.1.1:80

    The problem is:

    If im outside my localnetwork, for example a cel phone whith 3G, and I search for mydomain.com it resolves the public ip and finally access the service whith no problem.

    If im inside the local network, for example in 192.168.1.2 and I try to access from a web browser http://mydomain.com the server never respond.

    The port really doesn’t matter, any port trying from inside the network using the domain name doesn’t work. But the strange part is that if I try in the browser http://192.168.1.1 I get the same result! The browser never resolves the address.

    More tests that could help you undertanding the problem. (All inside my network)

    if i try telnet 192.168.1.1 80 I get response.
    if I try telnet 192.168.1.1 21 I get response.
    If I try telnet mydomain.com 80 I do not get response.
    If I try from the web browser http://mydomain.com No response
    If I try from the web browser http://mydomain.com/index.htm WORKS!!! WTF
    If I try from the web browser http://192.168.1.1 I do not get response (Why? something related to http protocol?)
    If I try from the web browser https://192.168.1.1 I do not get response (Why?)

    After some research I found that this could happend after a bad firewall configuration, so my first trobleshutting was disable the firewall…. no changes.

    Someone says that creating a dns for the intranet could help, something like:
    “midomain.com” – 192.168.1.1, but to be honest I dont have a clue about where to start configuring the dns.

    Some last thougths that maybe are totally unrelated but I feel that could help troubleshooting or could be messing the hole thing.

    My realm is MYDOMAIN.COM (is this correct? if not how can i change it)
    pinging the domain.com from inside the net always work (give me my public ip)
    pinging any host inside the network works flawlesly
    I do not have any kind of routing protocol.
    I can access any internet host like google.com whith no problem.

    This is driving me crazy I don’t know what more to do, if someone can help will be terrific. Thanks in advance. and sorry for my trash english… πŸ˜•

    #50333

    atheling
    Member

    In my case the inside network is 10.7.52.0/24 and the server is at 10.7.52.130. So if I try to access the server using the public IP it will get routed to the interface on the Zeroshell box that serves that IP address. But there are NAT rules on that, set up by the virtual server definition, that redirect the traffic to the actual server on the LAN.

    Unfortunately the from address in the IP datagram has the inside address of my lap top. So the server responds directly to the laptop giving a LAN address in the from field. However my laptop is expecting responses from the public IP address so it does not handle the messages well (it should drop them all, possibly with logging). The tell-tale is when I pinged the public IP address the ping responses showed the LAN address of the server.

    The solution is to NAT the traffic from your local LAN that is directed to your local server. That forces the return traffic from your server back to the Zeroshell box where the packet addresses are re-written to make everything work correctly.

    Long explanation, but short fix. I don’t like playing with the main NAT chains directly so I set up a “custom local” chain, put my one rule in that then invoke the chain from the post-routing chain. The result is this in my “NAT and Virtual Servers” script:

    #Fix issue with LAN clients accessing local servers with external IP addresses
    iptables -t nat -N custom_postroute
    iptables -t nat -A custom_postroute -s 10.7.52.0/24 -d 10.7.52.130 -j MASQUERADE
    iptables -t nat -A POSTROUTING --match state --state NEW -j custom_postroute
    #50334

    rsansores
    Member

    Thanks for the quick reply.

    Im still having problems, I think what you suggest but I havent been able to excecute your solution. (I lack of knowledge of zeroshell and iptables πŸ™ )

    What I undestand is that I should have a POSROUTING rule indicating that everithing that goes out from an ip 192.168.2.0 and goes to my server(192.168.2.2) should be forwarded using your custom_postroute.

    I tried two aproaches, first I opened the shell connecting to zeroshell via SSH and searched for iptables configuration file to add this lines. I wasnt able to find the iptables conf file so I tried to excecute in the shell the lines. That doesn’t produced error but didnt worked. The problem persist.

    My NAT table looked like this after excecuting in shell your commands:


    Chain PREROUTING (policy ACCEPT 516K packets, 39M bytes)
    pkts bytes target prot opt in out source destination
    1886 104K DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.2.2:80
    3287 197K DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.2.2:21
    59 3180 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8100 to:192.168.2.2:8100
    0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:8100 to:192.168.2.2:8100
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:600 to:192.168.2.95:600
    0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:600 to:192.168.2.95:600
    25 1500 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:54352 to:192.168.2.2:54352
    8 412 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.2.2:443
    5653 283K Proxy tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    35 2040 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3690 to:192.168.2.2:3690

    Chain POSTROUTING (policy ACCEPT 445 packets, 27948 bytes)
    pkts bytes target prot opt in out source destination
    364K 25M SNATVS all -- * * 0.0.0.0/0 0.0.0.0/0
    359K 25M MASQUERADE all -- * ETH01 0.0.0.0/0 0.0.0.0/0
    5538 364K MASQUERADE all -- * ETH02 0.0.0.0/0 0.0.0.0/0
    0 0 MASQUERADE all -- * ETH00 0.0.0.0/0 0.0.0.0/0
    0 0 MASQUERADE all -- * ETH03 0.0.0.0/0 0.0.0.0/0
    0 0 custom_postroute all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination

    I dont know how to interpret this output, I would be expecting something like this:


    0 0 custom_postroute all -- * * 192.168.2.0/24 192.168.2.2/32

    Anyway I tried in the setup cron tab adding your lines as script and the result was the same but duplicated lines in the nat table.


    Chain POSTROUTING (policy ACCEPT 445 packets, 27948 bytes)
    pkts bytes target prot opt in out source destination
    364K 25M SNATVS all -- * * 0.0.0.0/0 0.0.0.0/0
    359K 25M MASQUERADE all -- * ETH01 0.0.0.0/0 0.0.0.0/0
    5538 364K MASQUERADE all -- * ETH02 0.0.0.0/0 0.0.0.0/0
    0 0 MASQUERADE all -- * ETH00 0.0.0.0/0 0.0.0.0/0
    0 0 MASQUERADE all -- * ETH03 0.0.0.0/0 0.0.0.0/0
    0 0 custom_postroute all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
    0 0 custom_postroute all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
    0 0 custom_postroute all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW

    What Im doing wrong? Thanks again for the help.

    PS. In my first post I told you that my subnet was 192.168.1.0/24 and that was wrong my subnet is 192.168.2.0/24

    #50335

    atheling
    Member

    I would expect that a listing of the NAT chains using

    iptables -t nat -vn -L

    would include something like the following (my subnet, not yours):

    Chain custom_postroute (1 references)
    pkts bytes target prot opt in out source destination
    1544 119K MASQUERADE all -- * * 10.7.52.0/24 10.7.52.130

    I set that up using the following in the Zeroshell UI:

    In your case, I don’t see the contents of the “custom_postroute” table so I can’t see if you have the “MASQUERADE” rule in there. The key is that you have to NAT (masquerade) the traffic from your LAN to your server or the return IP packets will not be routed properly.

    #50336

    rsansores
    Member

    Thanks again atheling, in fact I have those lines:

    After executing iptables -t nat -vn -L :



    Chain PREROUTING (policy ACCEPT 531K packets, 40M bytes)
    pkts bytes target prot opt in out source destination
    1910 105K DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.2.2:80
    3287 197K DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.2.2:21
    59 3180 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8100 to:192.168.2.2:8100
    0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:8100 to:192.168.2.2:8100
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:600 to:192.168.2.95:600
    0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:600 to:192.168.2.95:600
    28 1680 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:54352 to:192.168.2.2:54352
    8 412 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.2.2:443
    11030 554K Proxy tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    49 2712 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3690 to:192.168.2.2:3690

    Chain POSTROUTING (policy ACCEPT 463 packets, 29185 bytes)
    pkts bytes target prot opt in out source destination
    377K 26M SNATVS all -- * * 0.0.0.0/0 0.0.0.0/0
    371K 26M MASQUERADE all -- * ETH01 0.0.0.0/0 0.0.0.0/0
    5585 367K MASQUERADE all -- * ETH02 0.0.0.0/0 0.0.0.0/0
    0 0 MASQUERADE all -- * ETH00 0.0.0.0/0 0.0.0.0/0
    0 0 MASQUERADE all -- * ETH03 0.0.0.0/0 0.0.0.0/0
    21 1430 custom_postroute all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
    18 1237 custom_postroute all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
    18 1237 custom_postroute all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW

    Chain OUTPUT (policy ACCEPT 172K packets, 14M bytes)
    pkts bytes target prot opt in out source destination

    Chain Proxy (1 references)
    pkts bytes target prot opt in out source destination

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination

    Chain custom_postroute (3 references)
    pkts bytes target prot opt in out source destination
    0 0 MASQUERADE all -- * * 192.168.2.0/24 192.168.2.2
    0 0 MASQUERADE all -- * * 192.168.2.0/24 192.168.2.2
    0 0 MASQUERADE all -- * * 192.168.2.0/24 192.168.2.2
    0 0 MASQUERADE all -- * * 192.168.2.0/24 192.168.2.2

    The duplicity maybe is because I executed more than one time the three comands that you provide me. 😳 (I will do some research about iptables to discover how to erease the extra lines but if Im not wrong that should not interfeer cause the lines are excecuted from up to down)…

    Anyway this is still not working, Im facing the same behavior of the first post. I missing something? If you need any log to get a better lanscape of my configuration just ask, I really apreciate the time you are consuming in helping me.

    After reading and reading and reading more and more tutorials I found a guy that creates a postroute rule using the plublic ip instead the local subnet but I think that do not apply to me cause I have a dinamic public ip.

    #50337

    atheling
    Member

    Looking through the traffic counts on your various rules, it appears that the custom_postroute chain is being executed but that the rules in it are not being matched.

    So I guess I should verify that I really understand your topology. I am I correct in thinking that your LAN with the servers is attached to ETH2 and that your Internet connection is on ETH1 and nothing is attached to ETH0 or ETH3. This is different than your first post but is my guess based on the traffic counts for rule hits.

    So is it like this?

    Internet (Dynamic IP) –> DSL Modem (10.n.n.n) (10.m.m.m ETH1) Zeroshell (192.168.2.n) LAN

    With your servers being on 192.168.2.2 and 192.168.2.95.

    I assume you are doing some sort of dynamic DNS to allow external access to your servers. If you do a nslookup for your domain does it return a routable public address or are you getting one of your private subnet address ranges (either 10.0.0.0/8 or 192.168.0.0/16).

    If you are getting the dynamic public IP, is your modem setup to NAT that back into the Zeroshell box?

    #50338

    rsansores
    Member

    Indeed, your guess is almost correct in all aspects.

    Here it comes a detailed explanaition of my topology.

    I have a cable modem isp connection attached to ETH1. This modem is subneted by the ISP, for example if i do a traceroute http://www.google.com the response is this.


    traceroute to www.google.com (72.14.253.104), 30 hops max, 60 byte packets
    1 192.168.2.254 (192.168.2.254) 0.249 ms 0.226 ms 0.167 ms
    2 10.62.0.1 (10.62.0.1) 9.198 ms 9.206 ms 9.194 ms
    3 10.0.56.61 (10.0.56.61) 9.493 ms 9.502 ms 9.495 ms
    4 customer-GDL-192-247.megared.net.mx (200.52.x.x) 72.901 ms 72.903 ms 72.878 ms

    Where 200.52.x.x is my public ip and 10.62.0.1 is the ip of the ETH1 interface in Zeroshell provided by the cablemodem dhcp. 10.0.56.61 is a subnet not done by me, this is produced by my ISP but that should not interfeer cause I have a special contract for companies where they ensure me that my cable modem is in some kind of DMZ. In other words pinging 200.52.x.x is related to my bussiness an no other one. In fact before implementing Zeroshell I was able to access my intranet services outside and inside the lan whith no problem having every computer in the 10.62.0.x subnet directly attached to the cable modem using a switch.

    ETH2 is software and hardware department subnet. (192.168.2.x) and Eth3 will be contability and administration department subnet (192.168.3.x not yet implemented the cable is unplugged just like you comment)

    ETH0 is unplugged but at some point I will be plugging it to my second ISP provider (This was the main reason for implementing Zeroshell)

    I only have one server in 192.168.2.1 but i dont need external access to this cause this host only local services like sourcesafe, WINS, and some contability services. (Thats why this do not apper in the tables)

    I have another server in 192.168.2.2 (the one that is breaking my brain), this host my web page, a web app in port 8100, subversion in https, ftp , etc.

    And lastly 192.168.2.95 is not a server is just a computer of one developer that need the port 600 to test a GPRS app.

    My domain myCompanyDomain.com is hosted in DynDNS and Im completely sure that this is working. If I ping myCompanyDomain.com this is always traduced to the correct public ip 200.52.x.x

    Related to your last question, Im afraid Im not really know the way my cable modem is configured but like I said I can ensure you that this is working like a DMZ cause if I unplugg the Zerosell and plug my computer and run a simple program that start listening to a TCP port and try conecting to that sockets using other ISP connection it works flawlesly.

    I hope this clarify a little the topology and sorry, you are completely rigth, my first post was not exactly clear. πŸ˜₯

    #50339

    rsansores
    Member

    I almost forgot, the eth2 interface in zeroshell is 192.168.2.254

    #50340

    ppalias
    Member

    Hi,
    first of all it is a big mess to use internet naming inside your LAN, but this is something that Atheling has already responded to you. Judging by the facts that you mentioned on the first post I am thinking it looks like a proxy issue.

    if i try telnet 192.168.1.1 80 I get response.
    If I try telnet mydomain.com 80 I do not get response.
    If I try from the web browser http://mydomain.com No response
    If I try from the web browser http://mydomain.com/index.htm WORKS!!! WTF
    If I try from the web browser http://192.168.1.1 I do not get response (Why? something related to http protocol?)
    If I try from the web browser https://192.168.1.1 I do not get response (Why?)

    Telnet on 192.168.1.1 port 80 works and browser on same address fails, seems that browser is using a proxy to access the page.
    Also if http://mydomain.com doesn’t work, though it should and http://mydomain.com/index.htm works also points to some proxy cache that still serves the index.htm, but not the top page. Since your test client and the server are both in the same subnet (192.168.1.X) then malufunction in the internal traffic is not a Zeroshell issue.

    #50341

    rsansores
    Member

    Hi ppalias, your thougths really help me a lot because force me to do some testing and even If I havent resolved the problem now I really know what the problem is.

    So here comes a brief description of the test:

    I tried doing again a telnet to port 80 using the ip and one again and I got the next reponse:




    301 Moved Permanently

    Moved Permanently


    The document has moved here.




    Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g Server at Sistemas.lan Port 80


    The first time I ran the telnet I didnt read the response I just said, Oh it responded! I feel really ashamed 😳

    Now I know that my Apache server is always redirecting the requests to mydomain.com and inside my network Zeroshell dont know how to manage that.

    I wanted to be completely sure so I opened a new browser and typed ftp://192.168.2.2 and acceded my annonym ftp with no problem. Obviously ftp://mydomain.com didnt work.

    So the problem (And this time Im sure) is that Zeroshell dont know how take out the request to the internet and return it to 192.168.2.2. So I think atheling aproach was completely correct but theres still something missing in my configuration.

    Is there a way for troubleshooting the atheling aproach or could someone help me setting zeroshell DNS to redirect all mydomain.com request directly to 192.168.2.2. I really prefeer atheling aproach cause if at some point I need to add a second server I dont know if theres a way to add dns resolving rules to forward the correct ip to the client depending in ports or application.

    Thanks again!!

    #50342

    ppalias
    Member

    It would be best to setup a master zone for your domain. Use ZS as DNS server for your LAN clients so that the name can be resolved to the internal IP. I think I have written a tutorial with some pictures in this forum, do a search and I think you’ll find it.

    #50343

    rsansores
    Member

    Thanks ppalias and atheling, finally I was able to solve the problem. The solution was like ppalias said add a DNS server just for my lan and redirect to my server the request that match my domain name.

    POST that helped me:

    http://www.zeroshell.net/eng/forum/viewtopic.php?t=1567&highlight=dns

    I will be trying the loopback POSTROUTING rule that recomended atheling and if at some point I’m able to make it work I will post the solution.

    Thanks again,

    πŸ˜€ πŸ˜€ πŸ˜€ πŸ˜€

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.