Bung your custom rules in a separate script, then use a sleep timer to delay the execution of the script, on each startup:
sleep 60
/etc/myfirewallrules
Isn't that the correct path to execute it automatically?
/etc/init.d/iptables_custrules.hm
instead of
/etc/iptables_custrules.sh
?
Can you disable NAT on the OpenWrt router.
No. Because of that i think i need to change my ISP soon!!
Now are problems that the service seems to run too early:
Nat Loopback ist the problem. But i have a DMZ, configured by ISP
Since you've got control over DNS, either through DHCP or by configuring "your" clients, make it easy on yourself and set up a "local override" for www.example.com to 192.168.1.171
1 Like
i don't like domain to ip entries on client, e.g. the windows hosts file or something like that...
and i need to check the web service runs on public ip address!! there is no other way!!!
maybe my smartphone, tor browser or a vpn connection to bypass the nat loopback problem... no, not really...!!
You're making it far too complicated
- DHCP points clients to "your" local DNS server
- Clients on your network with static addresses you point to your local DNS server
- That server gives out 192.168.1.171 as the A record for
www.example.com
No need to know your public IP address for any internal hosts.
I do this with unbound on my network for my public-facing mail, web, and MQTT hosts. You should be able to do the same with dnsmasq as well.
i don't have an own local dns. my router do relay from public dns servers.
Much easier to set up dnsmasq or unbound than all you're trying to do.
Even if you get half of hairpin NAT working, how are you going to deal with the return packets if the two hosts are on the same network?
Outbound packet
192.168.1.100 => publicIP gets routed to 192.168.1.1 and NAT-ed to
192.168.1.100 => 192.168.1.171
Return packet
192.168.1.171 => 192.168.1.100 which is link-local and never touches the router
Your host never sees publicIP => 192.168.1.100
Edit -- Here's what I would do
Ignore the subnet that your ISP gives you, configure your OpenWrt WAN for 192.168.254.2 -- that's effectively a one-to-one mapping of your public IP.
Put all your hosts behind the OpenWrt box.
Set up dnsmasq on your OpenWrt box to provide DHCP and DNS
Set up dnsmasq on your OpenWrt box to resolve whatever hostname(s) you want to the IP of the service host on your behind-OpenWrt net.
Set up port forwarding on your OpenWrt box to forward 192.168.245.2:nnnn to the IP and appropriate port of the service host on your behind-OpenWrt net.
Done.
Want a little more security? Put your service hosts on their own subnet and route to them from your internal hosts. Firewall as appropriate between the two. (I personally wouldn't trust the security of "win10 machine with apache" exposed to the Internet.)
1 Like
That's what i have done, the port forward works. but the problem was the access to my external ip form my own subnet (where the server is)...
-> "NAT Loopback". And yes, i occurs too when i put my server directly into the 192.168.254.xx zone from the ISP's router. So the Nat loopback problem is there, and not on OpenWRT...
The Win10 Machine with Apache is just for testing. It's my own laptop and not a server
Now i have one strange probem more, "/etc/init.d/fwrules disable" does not remove the entries in /etc/rc.d/" anymore. Yesterday, when i remember right, there wasn't a problem like that:
root@OpenWrt:/etc/rc.d# /etc/init.d/fwrules enable
root@OpenWrt:/etc/rc.d# ls
K10gpio_switch K98boot S11sysctl S35odhcpd S95done
K50dropbear K9999fwrules S12log S50cron S96led
K85odhcpd K99umount S12rpcd S50dropbear S98sysntpd
K89log S00sysfixtime S19dnsmasq S50uhttpd S9999fwrules
K90network S10boot S19firewall S80ucitrack S99urandom_seed
K90sysfixtime S10system S20network S94gpio_switch
root@OpenWrt:/etc/rc.d# /etc/init.d/fwrules disable
root@OpenWrt:/etc/rc.d# ls
K10gpio_switch K98boot S11sysctl S35odhcpd S95done
K50dropbear K9999fwrules S12log S50cron S96led
K85odhcpd K99umount S12rpcd S50dropbear S98sysntpd
K89log S00sysfixtime S19dnsmasq S50uhttpd S9999fwrules
K90network S10boot S19firewall S80ucitrack S99urandom_seed
K90sysfixtime S10system S20network S94gpio_switch
root@OpenWrt:/etc/rc.d#
the entries "K9999fwrules" and "S9999fwrules" are still there...
And a "disable_service" method will not be accepted so it seems. nothing happens:
#!/bin/sh /etc/rc.common
# chkconfig: 5 9999 9999
START=9999
STOP=9999
start() {
set -x
# sleep 30
rm /etc/init.d/public_ip.txt > /dev/null 2>&1
wget -qO- https://api.ipify.org > /etc/init.d/public_ip.txt
for IP in $(cat /etc/init.d/public_ip.txt);
do iptables -t nat -A PREROUTING -d x.x.x.x -m tcp -p tcp --dport 80 -j DNAT --to-destination $
done
iptables -t nat -A POSTROUTING -d 192.168.1.21 -s 192.168.1.0/24 -j SNAT --to-source 192.168.1.1
# rm -f /etc/init.d/public_ip.txt
}
stop() {
rm /etc/init.d/public_ip.txt > /dev/null 2>&1
}
disable_service()
{
rm -f /etc/rc.d/K9999fwrules
rm -f /etc/rc.d/S9999fwrules
}
"sh /etc/init.d/fwrules disable" does also not help. The entries "S9999fwrules" and "K9999fwrules" are still in "/etc/rc.d/"
Is it because of "# chkconfig: 5 9999 9999" ?
That's the only one change when i compare it to the previous version...(?)
Yes, it's 100% not disabled. "public_ip.txt" will be re-generated after reboot..