Port Forward/NAT Loopbacks

[hotzenpl0tz]

Ok, this might be troublesome to implement with a working qos (or maybe not ? I don't have the skills to think this through):

What I would really like is having port forward loopbacks, see this for reference:

http://www.sbtechsolutions.biz/setting- ... on-openwrt

Essentially what I would like:

I have a webserver setup, the server has the ip (example) 192.168.2.10 and the hostname "myserver". This server has several services running that are accessible via http apis.

To illustrate:

Server / service with python webserver / Apache setup as reverse proxy with http auth - layer/ accessible as: http://myserver:80 in my local LAN.

The server is also externally accessible via dyndns:
http://myserver.dyndns.org:8080 - with port forwarding setup so I access the transparent apache reverse proxy externally.

Now what I essentially want to have: I want to be able to access my server IN my LOCAL network with the external dyndns ip.
At the moment when my laptop is connected locally I have to use http://myserver:80 and when I am connected externally (in university, at my parents house, umts etc.) I have to access it with the dyndns.
This is a problem because I have some browser plugins that automatically communicate with webservices on my server - that want an IP sepcified (of course) - and I have to change that IP everytime if I am local or external, because internally I cannot use the dyndns adress to connect (which would be quite cool). The solution I found on the net are said loopbacks - but I have no idea if they are easy to implement with a qos script inbetween.

Thanks for your consideration

edit: for more info I found this forum post where somebody modified the openwrt qos scripts to do what I want, I think:
http://forum.openwrt.org/viewtopic.php?id=4578

edit2:
Did some thinking - as an alternative I noticed I could try and do some dnsmasq trickery by writing the external domain into the hosts file as a domain. This should work if I change my webserver to also respond to port 8080 requests (atm external requests to 8080 are forwareded to myserver:80) for what I want to achieve. My request still stands if feasable, but I think for the time being that could be a solution

[Eric]

The link you post at the top has the right idea for doing it using iptables. The second link is just a hack to insert iptables rules using QoS variables on the ancient OpenWrt White Russian firmware.

You can certainly make it work using iptable, as in the first link, ... BUT there's a drawback: ALL traffic to port 8080 from inside your network will get forwarded to port 80 on your web server. So if you want to connect to http://www.some-other-webserver:8080, you're going to get your own server. This might be acceptable though if instead of 8080, which is a fairly commonly used port you set your forward to use some very rarely used port.

So, given that caveat, here is how you do it. You need 3 iptables rules. Assuming you are using the latest Gargoyle, which is based on the latest Openwrt Kamikaze 8.09, and that you have a webserver running on [web_server_ip] on port 80, and you want to forward from port 8080, these are the rules you need to add:

Code: Select all

iptables -t nat -A zone_lan_prerouting -p tcp --dport 8080 -j DNAT --to-destination [web_server_ip]:80
iptables -t filter -A forwarding_lan -p tcp --dport 80 -d [web_server_ip] -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 80 -d [web_server_ip] -o br-lan -j MASQUERADE

Now, these are the rules you need to add. There is no functionality in the uci firewall system to do this automatically. So, put these three rules in /etc/my_rules.firewall file. Then add these lines to the end of the /etc/config/firewall files:

Code: Select all

config include
      option path '/etc/my_rules.firewall'

This will cause your rules to be included whenever the firewall is restarted.

[hotzenpl0tz]

Aha - that makes sense. After some web research I also found an iptables code snippet somewhere that looks like this:

iptables -t nat -A PREROUTING -i $INTIF -p tcp -d $EXTERNALIP --dport $FROM_PORT -j DNAT --to-destination $SERVERIP:$TO_PORT
iptables -t nat -A POSTROUTING -o $INTIF -p tcp --dport $TO_PORT -d $SERVERIP -s $LAN_NET -j SNAT --to-source $INTERNIP_FIREWALL
iptables -A FORWARD -i $INTIF -o $INTIF -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Now I don't (yet) have the iptables knowledge to really think this through (though I am getting interested, I think I will do some research), but in that code snippet I can specify an external ip. Doesn't that mean, there should be a way to limit the loopback to the dyndns ip I specified in the web interface ? My thinking was, that this would maybe enable it to be setup in the webinterface - when specifiying a dyndns server add a checkbox to enable/disable nat loopback for that address and assuming I can't use a portrange here maybe a field to specify the required port. On the other hand, it might be alot easier since dnsmasq is there anyway to just do what I did and just edit the hosts file. Not sure what advantages/disadavantages that has.

Btw: dd-wrt seems to have a nat loopback feature - how exactly does that work there ?

[Eric]

Well, since DD-WRT has this feature, I guess I really have no choice but to implement it in Gargoyle.... So I did last night

The latest bleeding edge firmware, now available in the download section, should have nat loopback automatically enabled for port forwarding.

The trick is that you can specify the wan IP in the first rule to eliminate the problem I mentioned before with the rule applying to all traffic to the relevant port ... but this doesn't work if you have a WAN IP assigned via DHCP since it will change periodically. The way around that is to refresh all the nat loopback rules in a hotplug script every time the wan interface goes down and comes back up. So, that's how I implemented it.

I tested it (briefly) and the new solution seems to work. Let me know if you have any problems with it.

[hotzenpl0tz]

Way cool ! Thanks alot, you really made my day Will test this evening or tomorrow.

Btw: I have been trying to find the donation button on the site here to give back a bit but didn't find one If you want to set one up, I would be glad to donate a bit for all the work you are putting into your project.

[Eric]

Well, since you asked nicely...

You'll now find a donation button on your left.

[hotzenpl0tz]

Great, added some to your pizza purse