DMZ and no access to ports on public ip?

jeff · September 11, 2018, 6:51pm

Look, it just works.

I also pretty much guarantee you'll be putting up another 40 to 100 posts of your personal notes when you find out that you can't configure the return packets if you try to continue on the path you're on with packet mangling.

Outside hosts:

Get your public DNS
Connect to whatever your public IP address is
Your ISP NATs that and delivers it to you on 192.168.254.2
Your OpenWrt box NATs and delivers to 192.168.1.171
Return packets follow the reverse path

Inside hosts:

Get your local DNS
Connect to 192.168.1.171
Return packets return on link

lleachii · September 11, 2018, 7:02pm

Yes there is. You check it from outside of your network. Besides, the configuration you're setting up will not confirm that your server works from the Global Internet. You even said that yourself:

You make this entry on the OpenWrt router, not the clients.

I have to agree with @jeff:

mk24 · September 11, 2018, 7:08pm

It often does not work to access your own public IP via your own ISP connection. As others said, that requires the ISP's systems to "hairpin" packets back at you, which many do not do.

If your ISP won't hairpin, you have to do the DNS workaround, so what appears to be a public connection from inside is actually handled locally.

A true test of whether your server can be reached from the Internet would require an separate Internet connection such as a phone, or making a request originated from a third party server on the Internet. For example subscribe to a VPN service then go to your own web server via the VPN.

jmar83 · September 13, 2018, 8:35pm

Thanks to everyone!!

It works "not bad" until now. More is here, for the german-speaking persons: https://debianforum.de/forum/viewtopic.php?f=18&t=170787

With best regards,
Jan

jmar83 · November 18, 2018, 6:33am

"It works "not bad" until now."

Most current version of my script:

#!/bin/sh /etc/rc.common
# chkconfig: 5 9999 9999

START=9999
STOP=9999

start() {
set -x
rm /etc/init.d/public_ip.txt > /dev/null 2>&1
wget -qO- https://api.ipify.org > /etc/init.d/public_ip.txt
for IP in $(cat /etc/init.d/public_ip.txt);
do
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 24 -j DNAT --to-destination 192.168.1.26:22;
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 80 -j DNAT --to-destination 192.168.1.21:81;
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 444 -j DNAT --to-destination 192.168.1.21:444;
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 3306 -j DNAT --to-destination 192.168.1.26:3306;
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 9000 -j DNAT --to-destination 192.168.1.21:9000;
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 9001 -j DNAT --to-destination 192.168.1.21:9001;
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 9002 -j DNAT --to-destination 192.168.1.21:9002;
  
  # POSTROUTING
  iptables -t nat -A POSTROUTING -d 192.168.254.2 -s 192.168.254.0/24 -j SNAT --to-source 192.168.1.1;
done
}

stop() {
  rm -f /etc/init.d/public_ip.txt > /dev/null 2>&1
  /etc/init.d/firewall stop
  /etc/init.d/firewall start
}

disable() {
  rm -f /etc/init.d/public_ip.txt > /dev/null 2>&1
  rm -f /etc/rc.d/K9999fwrules > /dev/null 2>&1
  rm -f /etc/rc.d/S9999fwrules > /dev/null 2>&1
  /etc/init.d/firewall stop
  /etc/init.d/firewall start
}

restart() {
  stop
  start
}

jmar83 · February 17, 2019, 12:46am

Most current version, but i'm not sure about the post routing part of it. (?)

#!/bin/sh /etc/rc.common
# chkconfig: 5 9999 9999

START=9999
STOP=9999

start() {
set -x
rm -f /etc/init.d/public_ip.txt > /dev/null 2>&1
wget -qO- https://api.ipify.org > /etc/init.d/public_ip.txt

for IP in $(cat /etc/init.d/public_ip.txt);
do
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport   24 -j DNAT --to-destination 192.168.1.26:22;
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport   25 -j DNAT --to-destination 192.168.1.168:22;
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport   80 -j DNAT --to-destination 192.168.1.21:81;
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport  444 -j DNAT --to-destination 192.168.1.21:444;
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 3306 -j DNAT --to-destination 192.168.1.26:3306;
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 9000 -j DNAT --to-destination 192.168.1.21:9000;
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 9001 -j DNAT --to-destination 192.168.1.21:9001;
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 9002 -j DNAT --to-destination 192.168.1.21:9002;
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.21:3389;
  iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 3390 -j DNAT --to-destination 192.168.1.26:3389;
  
  # POSTROUTING
  # iptables -t nat -A POSTROUTING -d 192.168.1.21 -s 192.168.1.0/24 -j SNAT --to-source 192.168.1.1;
  iptables -t nat -A POSTROUTING -d 192.168.254.2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.1.1;
done
}

stop() {
  rm -f /etc/init.d/public_ip.txt > /dev/null 2>&1
  /etc/init.d/firewall stop
  /etc/init.d/firewall start
}

disable() {
  rm -f /etc/init.d/public_ip.txt > /dev/null 2>&1
  rm -f /etc/rc.d/K9999fwrules > /dev/null 2>&1
  rm -f /etc/rc.d/S9999fwrules > /dev/null 2>&1
  /etc/init.d/firewall stop
  /etc/init.d/firewall start
}

restart() {
  stop
  start
}

dlakelan · February 17, 2019, 5:41am

It's not entirely clear to me the issue but if you just put your public IP on your lo interface as a /32 doesn't that just solve all the problems with hairpin NAT?

vgaetera · February 17, 2019, 8:46am

It looks like you are solving the problem from the wrong side, because according to those port forwardings you should set up a VPN.

And if you want to access a service by the same name from LAN and WAN without VPN, just rebind it to LAN IP-address on your LAN DNS-server.