networking - how can i forward requests to my own IP address to a local IP address in my network (possibly using named)?

07
2014-07
  • tmsimont

    My setup

    I have a linux server running in my basement. I currently have my router looking to that server for DNS lookup, so I can use named to spoof a bunch of domain names to point to my local server's local address, 192.168.0.111. This works great.

    I also am running Apache and PHP on this server, and have forwarded port 80 on my router to this machine, so my public IP xx.xxx.x.xx is sent to the basement server.

    This is a great development set up for me, because I can develop websites in my local network and pull them up on numerous devices with a *.mylocal.net address. I can also quickly share a website on my public IP with others that are outside of my network.

    I have a static IP, so that makes this even easier.

    The problem

    Some applications need to have an absolute URL. My spoofed DNS doesn't work outside my network, and neither does my internal IP address.

    I need to be able to access the sites at the same IP that they are accessed publicly, which is my public IP: xx.xxx.x.xx

    For some reason, I can't access my own public IP address from within my own network.

    My router's public IP is xx.xxx.x.xx, and when I hit xx.xxx.x.xx from outside my network I see exactly what I want -- my development website. But, when I hit xx.xxx.x.xx from inside my network, the connection times out.

    I assume my ISP has a firewall that blocks requests from xx.xxx.x.xx to xx.xxx.x.xx where the origin and the destination are the same IP (or maybe this is impossible on any network?)

    So how can I set up my network to forward the internal request to my public IP to the local IP of my basement server?

    I would like to do this within the local DNS server I set up, or in my router, so the change can be applied to all devices in my network, and not just the basement server or the windows tablet/laptop, etc individually.

    • Answers
  • LPChip

    This is normal to happen. The problem is not a firewall at ISP level, but simply your router. When you Point to an address from inside your LAN to a public IP that is inside your lan, the following happens:

    Your PC -> Your Router -> Internet -> Your Router -> Your other PC.

    The problem is that when a connection to the internet is then redirected back to your router, your router gets confused because the connection already is coming from your router, and as such its not working. The only way to get this working is by making the public address point to your local network from inside your network, so it never leaves your LAN.

    Given that you already have your DNS server on your linux server, add your mylocal.net domain and all subdomains there, and make it point to your local ip address, 192.168.0.111, and ensure that the actual mylocal.net account does the real DNS for the outside world.

    Here is an example with what will happen:

    Lets assume you have configured test.mylocal.net to point to your public IP named 12.34.56.78

    Now, from outside your LAN, pinging test.mylocal.net will reply to 12.34.56.78.

    On your Linux DNS server, you add test.mylocal.net and point it to 192.168.0.111.

    When you are inside your network, and you enter test.mylocal.net in your browser, the following happens:

    • Browser: Is a local host set with test.mylocal.net? No.
    • Browser, forward request to the Local DNS server.
    • Local DNS server is your linux DNS server: Is test.mylocal.net set? Yes, return 192.168.0.111
    • Browser now connects to your webserver and shows the page.

    From outside the network:

    • Browser: Is a local host set with test.mylocal.net? No.
    • Browser, forward request to the Local DNS server.
    • Local DNS server is someone's router or DNS server.
    • Local DNS server does not have a specific entry for test.mylocal.net, Returns No.
    • Local DNS server asks internet DNS server what the IP is.
    • Internet DNS Server has received your test.mylocal.net with an update and returns the public ip.
    • Browser does request to your public ip.
    • Browser connects to your router.
    • Router forwards request to your linux server.
    • Linux server serves the webpage.
    • Browser shows the webpage.

    • Related Question

    networking - Internet filtering on iPad / DNS lookups
  • momo1729

    I would like to prevent access to adult websites on iPads by filtering them out. How can I stop people if they know the websites IP ?

    Allow me to explain a bit further.

    I have set up OpenDNS's Family Shield as the default DNS provider for my home network and forced all DNS connections to go through it by blocking outbound UDP/TCP traffic on port 53 on my router. Now I am looking for a way to block any attempt to access websites by typing their IP addresses directly, which makes the DNS config useless. Would this be possible ?

    Note :

    OpenDNS is set to Family Shield which, as the name suggests, filters adult content and connections to proxies. I do not have a spare computer at home on which I could install something like Untangle. I do not want to block internet access, but block that which is unwanted : the one that would be blocked by Family Shield and that the user would manage to access because they know the website's IP.


    • Related Answers
  • ernie

    DNS servers only provide a mapping of a name to an IP address.

    You're looking to block users who already have a remote IP address from reaching a server, meaning the step that the DNS server would have done is already completed.

    The level of filtering you're asking for will need to be done with a proxy server or similar, where requests to IP addresses will fail.

    This solution also falls apart in that many legitimate sites will uses IP addresses.

    What you really need is a true proxy server, and then to subscribe to some blacklist, and block access to those sites. dd-wrt won't do this (as far as I know). You can manually block sites, but you'd have to add an iptables rule for each site, and you'd be playing a never ending game of cat-n-mouse. That's why you'd want to subscribe to some blacklist, or use dd-wrt to redirect all traffic through a proxy.

    As @ScottChamberlain has mentioned in the comments, if you have a high end router, you can try and install dd-wrt, then install a squid plugin on it, and finally subscribe to a blacklist (which you would need to download and the import into squid regularly; you could probably do this via a cron job with a simple script).

    Dansguardian and squidguard streamline this last step by providing auto-updating blacklists, but I don't believe either can run in dd-wrt.

    In most cases, the processing demands for going through such a blacklist (which can have over 2m entries) are too much for home routers, which is why people end up using separate computers for this, or commercial services. In fact, I have never heard of any router which can run a full solution as outlined above - that doesn't mean the hardware doesn't exist, just that I haven't seen any references to such hardware, and generally just see references to saying that you need to use separate computers to achieve the level of filtering you're attempting.

  • Ярослав Рахматуллин

    You can configure a firewall, either on the router on on the iPad devices. Configure the firewall to drop packets to and from the undesired IP addresses.

    I would put a firewall distro of GNU/Linux on your spare computer, or even a BSD firewall. Then force all internet traffic through that. Alternatively you could visit the dd-wrt router database and see if your current router is supported.

    Firewall-OS distributions: