2

I've a router with a certain static ip a.b.c.d that's connected to a Linux server on one side and to the internet on the other.

Accessing a software installed on the Linux server from outside using the IP address a.b.c.d:portxx works fine.

However, if a browser opened by someone from the server itself tries to access the same software as a.b.c.d:portxx it fails. Trying localhost:portxx again works fine.

So my diagnosis is that the DSL router is being dumb and not realizing that a.b.c.d is itself.

Is there a way to fix this, prefrably without changing anything at the router? i.e. Through /etc/hosts or some other mechanism on the server can any packet going to a.b.c.d be rerouted to localhost?

Is this likely to break anything else?

curious_cat
  • 359
  • 2
  • 10
  • You mean the router is forwarding traffic for `a.b.c.d` towards the linux server which presumably has a private IP address? This is not quite clear from your question. – wurtel Oct 07 '15 at 07:43
  • 1
    Try to configure a.b.c.d as an alias IP on lo:0 should work (limit to browser on the Linux server). – Ken Cheung Oct 07 '15 at 08:15

1 Answers1

1

The problem is not in router. Router do what have been configured for - it translate traffic destination a.b.c.d:portxx to your linux server. It not work, but for understanding, you have to see what happen on network. For example your linux server is 192.168.1.2 and your router is 192.168.1.1 on your LAN network

  • From server you send packet
  • src 192.168.1.2:1024 dst a.b.c.d:portxx
  • on router is made translation (back to server)
  • src 192.168.1.2:1024 dst 192.168.1.2:portxx
  • packet come to server application, it replies - and send reply packet
  • src 192.168.1.2:portxx dst 192.168.1.2:1024
  • packet come (stay) on server to client aplication, but this connection is not know, because you initiate connection to a.b.c.d and have a reply from 192.168.1.2 and not from (a.b.c.d) - packet is dropped.

So possible solution:

1) on router, if you can, set SNAT from packet comming from local network to your NATed public ip. If you have linux router, try something

iptables -t nat -I PREROUTING -s 192.168.0.0/24 -d a.b.c.d -j SNAT --to-source 192.168.1.1

You changed source packet address for packet go through router from inner network, server application reply back to 192.168.1.1, and SNAT rule when receive reply, correctly map packet back to your client application on server. This solution work for all inner network computers, but on server you see all request coming from router address 192.168.1.1.

2) On server, you can make REDIRECT traffic by iptables

 iptables -t nat -I OUTPUT -d a.b.c.d -p tcp --dport portxx -j REDIRECT --to-ports portxx

It redirect outgoing connection from your server to local port on server. I think, this could be best solution for your case

3) Adding a.b.c.d address on server could be solution for some cases, but sometimes server daemon (and it is application specific) do not listen on all ip address or give another reply for other address.

4) If you using hostnames and not ip address, you can redefine /etc/hosts on linux server - this is easiest and sometimes help (DNS return: linuxserver a.b.c.d) so in /etc/hosts you write line

192.168.1.2 linuxserver

And connection from linux server to "linuxserver" go directly to 192.168.1.2

Martin MaKr Kratochvíl
  • 132
  • 1
  • 3