network/routing wonkiness

Lonni J Friedman netllama at gmail.com
Mon Jul 23 09:10:13 PDT 2012 

On Mon, Jul 23, 2012 at 6:45 AM, David A. Bandel <david.bandel at gmail.com> wrote:
> On Sun, Jul 22, 2012 at 3:12 PM, Lonni J Friedman <netllama at gmail.com> wrote:
>> For years, my home network has experienced a strange routing quirk
>> which has mystified me.  For reasons that I'd prefer not to bore
>> anyone with, I won't get into why I'm speaking up about it now.  The
>> issue is as follows.  I run a web server on my home network, and all
>> the IP addresses on this network are non-routable (10.xxx.xxx.xx).
>> That same webserver is accessible over the internet, with a real,
>> routable (quasi)static IP address.  If any device/system on my home
>> network attempts to access the webserver, it will timeout & fail 100%
>> of the time.  However, if I hard code the non-routable static IP of
>> the webserver in /etc/hosts with the same internet accessible domain
>> name, then any system on my home network can access the webserver just
>> fine.  Note, this is *not* a port issue.  I'm able to hit the same
>> apache server port regardless of whether I'm inside the network, or
>> out on the internet.
>>
>> What I'm failing to grasp is why I am seemingly unable to route
>> traffic from my home network out over the internet, and back to my
>> webserver.  Either I've got something bizarre misconfigured somewhere,
>> or there's some law of networking that I'm not grasping.
>>
>> thanks
>
> short answer:  firewall (iptables) rules.
>
> long answer:
> iptables -t nat -i $EXTERNAL_INTERFACE -p tcp --dport 80 -j DNAT $INTERNAL_IP
>
> If you understand the above, you'll understand what's happening.  You
> must hit the external IP by entering via your router's external
> address from outside.  You can't hit your external address from inside
> because the packets aren't entering via the external interface, but
> via the router's localhost interface.
>
> So basically, it's a packet routing issue inside your router.  If you
> can get in via a CLI and remove the $EXTENAL_INTERFACE (basically
> allowing the packet to port 80 to come from anywhere, then it should
> start working (but may break other things).

Thanks, that makes sense.  Unfortunately, while my router does have
shell access, it uses ipchains (rather than iptables), with a 2.0.x
kernel.   I never could grok ipchains rules, no matter how hard I
tried.  There are tons of ipchains -> iptables conversion tools, but
sadly, not the reverse.  Anyway remember how to do this with ipchains?

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
L. Friedman                                    netllama at gmail.com
LlamaLand                       https://netllama.linux-sxs.org

More information about the Linux-users mailing list