# view my websites on local network

## cowboy0629

Hi all I am having a issue with my web-server I can view my websites from the internet but I am not able to view them from my local machines....

I have 3 sites on my server..

if I type in 192.168.0.1  / or my external IP ADDRESS --> I get my local website that shows me statistics of my internet connection and other stats of my network

when on a computer on the local network if I type in the browser

(local network)

http://cowboy0629.ddns.net   --> This site can’t be reached  cowboy0629.ddns.net refused to connect.

http://needfulthings.ddns.net --> This site can't be reached needfulthings.ddns.net refused to connect.

(external network ie. Phone/work computer/friends house etc..)

Sites Connect as wanted

Can some one help me get it to work on internal network I beleave I have them setup as virtual servers so each address apache sees it sends them to the website for that address..

Thanks in advance 

  Mike DennisonLast edited by cowboy0629 on Tue Feb 14, 2017 12:41 pm; edited 2 times in total

----------

## eccerr0r

How is your router set up?  What is your router?

There are some routers out there that with stock firmware, does not redirect packets back into your network and thus exhibit behavior like what you see here.  I recall my old Actiontec GT701 or something like that having this issue if not set up properly (it's a DSL router/modem). I don't recall exactly what I did to "solve" this issue, part of the problem is that I run a pfSense router now instead of using the DSL router.

----------

## cowboy0629

My router is gentoo and im using dnsmasq with it to handle my dhp clients on my network

So Im thinking I may have to change something in my iptables from what you are saying  :Sad: 

I use a script file so if I change something and it don't work i can change the iptables back quickly my family members tend to get real upset if the internet goes down for more then a couple minutes

```

#!/bin/bash

#

#       JUNE 26 2016

#

### This *has* to be loaded, or no NAT!!!

modprobe ipt_MASQUERADE

#WAN (eth0=enp0s25) --> Outside Network

#export WAN="enp0s25"

export WAN="ppp0"

#LAN (eth1=enp17s0) --> Inside Network

export LAN="enp17s0"

#Other Varibles

export SSHD_PORT="28"

export HTTP_PORT="80"

export MYSTIC_TELNET_PORT="2320"

export MYSTIC_SSH_PORT="2820"

export MYSTIC_FTP_PORT="2120"

#export SBBS_TELNET_PORT="2321"

#export SBBS_FTP_PORT="21"

#export SBBS_HTTP_PORT="8081"

#export SBBS_SSH_PORT="2821"

#Flush current rules

iptables -F

iptables -t nat -F

iptables -X

#Setup default policies to handle unmatched traffic

#iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

#Locks Services so they only work from the LAN

iptables -I INPUT 1 -i ${LAN} -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT

iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

#Allow access to the ssh server from the WAN

iptables -A INPUT -p tcp --dport ${SSHD_PORT} -j ACCEPT

#Apache WebServer Rules

iptables -A INPUT -p tcp --dport ${HTTP_PORT} -j ACCEPT

#Drop TCP/UDP packets to privleged Ports:

iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

#Add NAT Rules

iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.255.0 -j DROP

iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.255.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

#Port Forwarding

# (Forward Outside to GW2)

#iptables -t nat -A PREROUTING -p tcp --dport 28 -i ${WAN} -j DNAT --to 192.168$

#iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168$

#BBS RULES

##MYSTIC BBS

#iptables -t nat -A PREROUTING -p tcp --dport ${MYSTIC_TELNET_PORT} -i ${WAN} -$

#iptables -t nat -A PREROUTING -p tcp --dport ${MYSTIC_SSH_PORT} -i ${WAN} -j D$

#iptables -t nat -A PREROUTING -p tcp --dport ${MYSTIC_FTP_PORT} -i ${WAN} -j D$

#iptables -t nat -A PREROUTING -p tcp --dport 8080 -i ${WAN} -j DNAT --to 192.1$

#iptables -t nat -A PREROUTING -p tcp --dport 2320 -i ${WAN} -j DNAT --to 192.1$

##SBBS

#iptables -t nat -A PREROUTING -p tcp --dport ${SBBS_SSH_PORT} -i ${WAN} -j DNA$

#iptables -t nat -A PREROUTING -p tcp --dport ${SBBS_TELNET_PORT} -i ${WAN} -j $

#iptables -t nat -A PREROUTING -p tcp --dport ${SBBS_HTTP_PORT} -i ${WAN} -j DN$

#iptables -t nat -A PREROUTING -p tcp --dport ${SBBS_FTP_PORT} -i ${WAN} -j DNA$

#VNC RULES

##GW2

###Mike

iptables -t nat -A PREROUTING -p tcp --dport 5901 -i ${WAN} -j DNAT --to 192.16$

iptables -t nat -A PREROUTING -p tcp --dport 5801 -i ${WAN} -j DNAT --to 192.16$

#iptables -t nat -A PREROUTING -p tcp --dport 6001 -i ${WAN} -j DNAT --to 192.1$

#Xbox Live (Rules for my XboxOne and Xbox360)

iptables -t nat -A PREROUTING -p udp --dport 88 -i ${WAN} -j DNAT --to 192.168.$

iptables -t nat -A PREROUTING -p tcp --dport 3074 -i ${WAN} -j DNAT --to 192.16$

iptables -t nat -A PREROUTING -p udp --dport 3074 -i ${WAN} -j DNAT --to 192.16$

##iptables -t nat -A PREROUTING -p tcp --dport 53 -i ${WAN} -j DNAT --to 192.16$

##iptables -t nat -A PREROUTING -p udp --dport 53 -i ${WAN} -j DNAT --to 192.16$

##iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.16$

##iptables -t nat -A PREROUTING -p udp --dport 500 -i ${WAN} -j DNAT --to 192.1$

iptables -t nat -A PREROUTING -p udp --dport 3544 -i ${WAN} -j DNAT --to 192.16$

iptables -t nat -A PREROUTING -p udp --dport 4500 -i ${WAN} -j DNAT --to 192.16$

#Inform the kernel that IP forwarding is OK:

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

#Instruct the IPtables daemon to save the changes to the rules

/etc/init.d/iptables save

```

----------

## eccerr0r

Are you getting "connection refused" or "timeout" ?

What happens if you remove the forward drop rule...at least as a test?

```
#iptables -P FORWARD DROP 
```

What is the router configuration - is it a plain router where it has a public IP address and forwards only private addresses?

When I was using a regular Linux box as a router as a "plain" router (IP addresses/networks on each interface are distinct - no bridging) I only had to run the masquerade command to let data to flow through.  Of course incoming connects needs their own firewall hole.

----------

## cowboy0629

on home network I am getting connection refused when I try to connect to my apache server from my local network.. but I can connect from the outside in to the websites.. I will try changing that line once I get home I don't want to get locked out..

----------

## eccerr0r

OK, connection refused versus connection timeout is a key hint.  Which means that your home network machine are trying to connect to something but what...  It also means that that DROP line isn't the issue as if the packet was dropped, it would connection timeout...

What is the IP address of the vhosts' fqdn that your inside network picked up?

Is your webserver listening to that address?

----------

## cowboy0629

 *eccerr0r wrote:*   

> Are you getting "connection refused" or "timeout" ?
> 
> What happens if you remove the forward drop rule...at least as a test?
> 
> ```
> ...

 

So I commented out the line like you suggested and that I still got connection refused from internal net... but could not access anything including ssh from outside world..

outside in would just sit like it was trying to load the webpage but nothing happend

----------

## cowboy0629

 *eccerr0r wrote:*   

> OK, connection refused versus connection timeout is a key hint.  Which means that your home network machine are trying to connect to something but what...  It also means that that DROP line isn't the issue as if the packet was dropped, it would connection timeout...
> 
> What is the IP address of the vhosts' fqdn that your inside network picked up?
> 
> Is your webserver listening to that address?

 

I'm sorry Im not sure what you are asking.. ....  the apache server is on my router if that helps... so 192.168.0.1 but when i type that in it brings up a page my friend made for me that tracks my networks stats....

----------

## cowboy0629

This is my virtual host files

http://needfulthings.ddns.net

```

# Virtual Host For needfulthings.ddns.net

# Created 09/07/2016

# domain: needfulthings.ddns.net

# public: /var/www/public_html/needfulthings.ddns.net/

<VirtualHost *:80>

  # Admin email, Server Name (domain name) and any aliases

  ServerAdmin m.dennison@bell.net

  ServerName  needfulthings.ddns.net

  ServerAlias needfulthings.ddns.net

  # Index file and Document Root (where the public files are located)

  DirectoryIndex index.html

  DocumentRoot /var/www/public_html/needfulthings.ddns.net/public

  # Custom log file locations

  LogLevel warn

  ErrorLog  /var/www/public_html/needfulthings.ddns.net/log/error.log

  CustomLog /var/www/public_html/needfulthings.ddns.net/log/access.log combined

<Directory "/var/www/public_html/needfulthings.ddns.net">

        Options Indexes FollowSymLinks

        AllowOverride All

        Require all granted

  </Directory>

</VirtualHost>

```

http://cowboy0629.ddns.net

```

# Virtual Host For cowboy0629.ddns.net

# Created 09/07/2016

# domain: cowboy0629.ddns.net

# public: /var/www/public_html/cowboy0629.ddns.net/

<VirtualHost *:80>

  # Admin email, Server Name (domain name) and any aliases

  ServerAdmin m.dennison@bell.net

  ServerName  www.cowboy0629.ddns.net

  ServerAlias cowboy0629.ddns.net

  # Index file and Document Root (where the public files are located)

  DirectoryIndex index.html

  DocumentRoot /var/www/public_html/cowboy0629.ddns.net/public

  # Custom log file locations

  LogLevel warn

  ErrorLog  /var/www/public_html/cowboy0629.ddns.net/log/error.log

  CustomLog /var/www/public_html/cowboy0629.ddns.net/log/access.log combined

<Directory "/var/www/public_html/cowboy0629.ddns.net">

        Options Indexes FollowSymLinks

        AllowOverride All

        Require all granted

  </Directory>

</VirtualHost>

```

----------

## cowboy0629

I found this on a website.. looks like what I might need to do to get it working on my internal network BUT .. my external ip changes all the time this is why I need to use DDNS service

https://httpd.apache.org/docs/2.4/vhosts/examples.html#page-header

```

Serving the same content on different IP addresses (such as an internal and external address).

The server machine has two IP addresses (192.168.1.1 and 172.20.30.40). The machine is sitting between an internal (intranet) network and an external (internet) network. Outside of the network, the name server.example.com resolves to the external address (172.20.30.40), but inside the network, that same name resolves to the internal address (192.168.1.1).

The server can be made to respond to internal and external requests with the same content, with just one <VirtualHost> section.

<VirtualHost 192.168.1.1 172.20.30.40>

    DocumentRoot "/www/server1"

    ServerName server.example.com

    ServerAlias server

</VirtualHost>

Now requests from both networks will be served from the same <VirtualHost>.

Note:

On the internal network, one can just use the name server rather than the fully qualified host name server.example.com.

Note also that, in the above example, you can replace the list of IP addresses with *, which will cause the server to respond the same on all addresses.

```

----------

## cowboy0629

Thank-you eccerr0r for your help on this problem.. I figured out how to fix this problem so I can test my websites on local machines... I hate when people mark a thread solved but don't tell us how it was solved so here goes.. The fix was simple.

To get your local networked machines to see the websites on the Apache Virtual Hosts add these lines to your hosts files

```

nano /etc/hosts

192.168.0.1     <web-address A>

192.168.0.1     <web-address B>

change 192.168.0.1 --> YOUR APACHE WEB-SERVER ADDRESS

change <web-address A> --> Address you assined to you virtual hosts EX. needfulthings.ddns.net

```

----------

## eccerr0r

Ah yeah that would do it.  Crap, wish there was an easy way to detect /etc/hosts issues.  Looks like you changed from 192.168.0.1 to 192.168.1.1, slight but deadly change...

But in any case, it's probably best not to put in anything but local names into /etc/hosts if your DNS server is working, unless there's a specific need - like blocking access to websites by name or if your DNS is wrong...  That way if the external name changes IP, you'd automatically pick up the name as well.

----------

## cowboy0629

 *eccerr0r wrote:*   

> Ah yeah that would do it.  Crap, wish there was an easy way to detect /etc/hosts issues.  Looks like you changed from 192.168.0.1 to 192.168.1.1, slight but deadly change...
> 
> But in any case, it's probably best not to put in anything but local names into /etc/hosts if your DNS server is working, unless there's a specific need - like blocking access to websites by name or if your DNS is wrong...  That way if the external name changes IP, you'd automatically pick up the name as well.

 

I just realized that this did not work ... (its ok for computers that never leave the house) but guess what as soon as I took my laptop to work I was no longer able to access my websites until I comment out the new added entries into Host files...

I have tried to set up a local dns server but have not had any luck.. any ideas what I may be doing wrong for this problem...

----------

## bbgermany

Hi,

what do you get in return to the following commands:

```

nslookup cowboy0629.ddns.net

nslookup needfulthings.ddns.net

```

from your local network? It seems like a little local resolving issue caused by your dnsmasq. Your apache configuration is correct with *:80 or *443, since you want to listen all websites on all interfaces.

Can you additionally post your /etc/nsswitch.conf please. Maybe there lays the issue according to your hostfile entries.

greets, bb

----------

## cowboy0629

From GW1 - Gentoo Router

```

mike@GW1 ~/ $ nslookup cowboy0629.ddns.net

Server:         8.8.8.8

Address:        8.8.8.8#53

Non-authoritative answer:

Name:   cowboy0629.ddns.net

Address: 76.69.25.182

mike@GW1 ~/ $ nslookup needfulthings.ddns.net

Server:         8.8.8.8

Address:        8.8.8.8#53

Non-authoritative answer:

Name:   needfulthings.ddns.net

Address: 76.69.25.182

```

From a computer on Local network

```

mike@GW2 mike/ # nslookup cowboy0629.ddns.net

Server:         8.8.8.8

Address:        8.8.8.8#53

Non-authoritative answer:

Name:   cowboy0629.ddns.net

Address: 76.69.25.182

mike@GW2 nslookup needfulthings.ddns.net

Server:         8.8.8.8

Address:        8.8.8.8#53

Non-authoritative answer:

Name:   needfulthings.ddns.net

Address: 76.69.25.182

```

I didn't bother posting remote because I figured you probably already knew the anser to that...

should I have the auth-dns USE FLAG enabled ?

here is what I have installed for dnsmasq

```

mike@GW1 ~/ $ eix dnsmasq

[U] net-dns/dnsmasq

     Available versions:  2.76 {auth-dns conntrack dbus +dhcp dhcp-tools dnssec idn +inotify ipv6 lua nls script selinux static tftp LINGUAS="de es fi fr id it no pl pt_BR ro"}

     Installed versions:  2.75(19:54:19 05/18/16)(dbus dhcp inotify ipv6 nls -auth-dns -conntrack -dhcp-tools -dnssec -idn -lua -script -selinux -static -tftp LINGUAS="-de -es -fi -fr -id -it -no -pl -pt_BR -ro")

     Homepage:            http://www.thekelleys.org.uk/dnsmasq/doc.html

     Description:         Small forwarding DNS server

```

----------

## bbgermany

Hi,

im not familiar with dnsmasq, since im always using bind. But i think you should redo your firewall rules. At first you should restart with all to drop and then open up port by port starting with ssh from the internal network.

```

#!/bin/bash

# define interfaces

WAN="ppp0"

LAN="enp17s0"

# flush rules

iptables -F

iptables -F -t nat

# drop all traffic except outgoing

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

# allow localhost communication

iptables -A INPUT -i lo -j ACCEPT

# basic rules for accessing the internet and the server from your lan

iptables -A INPUT -p tcp --dport 22 -d ${LAN} -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -d ${LAN} -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -j ACCPEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# start allowing access to ssh/http from outside

iptables -A INPUT -i ${WAN} -p tcp --dport 22 -m state --state NEW -j ACCEPT

iptables -A INPUT -i ${WAN} -p tcp --dport 80 -m state --state NEW -j ACCEPT

# allowing already created connections to established related connected

iptables -A INPUT -i ${WAN} -m state --state ESTABLISHED,RELATED -j ACCEPT

```

Maybe this helps you a bit. You can continue with this.

greets, bb

----------

## cowboy0629

 *bbgermany wrote:*   

> Hi,
> 
> im not familiar with dnsmasq, since im always using bind. But i think you should redo your firewall rules. At first you should restart with all to drop and then open up port by port starting with ssh from the internal network.
> 
> ```
> ...

 

I will try this but usually when I change that iptables everything quits working.. let you know how things go in a few

----------

## cboldt

Howdy partner ...

From inside the LAN, you want `nslookup cowboy0629.ddns.net` to show your dnsmasq machine as the "Server", and you do NOT want LAN packets to run outside the router, then back to 76.69.25.182 (the other side of the router) ... you want the LAN traffic to stay on the LAN, 192.168.0/24 I think is what you are using.

This is "straight network traffic," and the firewalls in effect will be on the machine seeking to make an http (or https) connection (rarely an issue here), and the machine that is hosting http and https connections and serving webpages.  I don't think your gw1 (router) is also hosting web pages, but I am just assuming that.

Now that I think about it, I don't have a crystal clear picture of your network.  Mine is setup like this, looking in from the outside ...

CableModem (out of the picture to the LAN) -> ASUS Router [192.168.0.10 to the LAN]

ASUS Router has a fixed IP, asserted by itself, reinforced by dhcp server (dnsmasq) elsewhere.  ASUS router has dhcp functionality, turned OFF.  CableModem is 72.224.158.246 to the outside world, some timewarnercable name associated with it.  The machines on the LAN (including the dhcp server) are clueless about CableModem, but I know it as 192.168.100.1

ASUS Router sends packets for port 25, and a few others, to 192.168.0.1

ASUS Router sends packets for port 80 to 192.168.0.2

The IP addresses for ALL machines on 192.168.0/24 are at least tracked (and most are assigned) by dnsmasq running on 192.168.0.1 [hypoid].  The machine at 192.168.0.1 asserts a fixed IP from the get-go, in all ways.  The machine at 192.168.0.2 [involute] gets that IP address by dint of the IP-by-MACID thing you now know about, and it uses dhcp when starting the network.

ASUS Router gets 192.168.0.10, first by asserting it, itself, and also by these lines in dnsmasq.conf (or its cousins) ...

```
dhcp-option=option:router,192.168.0.10

dhcp-host=e0:3f:49:9d:bd:08,router,192.168.0.10         # ASUS RT-AC66W (router)

host-record=router,router.curvate.net,192.168.0.10
```

Probably some belt and suspenders there, between asserting a fixed IP, etc. ... I think the reason for at least one of those lines is to insure any machine on the net  will receive "192.168.0.10" when asking `nslookup router`

So, other than ASUS router (and another ASUS dohicky used as an access point), and "hypoid," all the machines use dhcp to get a network address.  Some of the machines get a predictable address, and need a predictable LAN address because "router" sends certain packets from the outside to fixed IPs.

192.168.0.1 [hypoid] gets and serves mail, and is the sshd point of contact with the outside

192.168.0.3 [hypoid-2] is a honeypot

----------

## cowboy0629

Hi .. well the above iptables I tried them and they did not return to prompt when I ran it and locked everyone out of network internal and external...

cboldt 

You are helping me with the dnsmasq as well..

but my network is

BELL ADSL MODEM --> GW1 (Gentoo Home Router) --> LAN  ACER (GENTOO LAPTOP)

                                                                                                   GW2 (DESKTOP GENTOO)

                                                                                                    IMAC

                                                                                                    1 WINBLOWS LAPTOP

                                                                                                    1 WINBLOWS DESKTOP

                                                                                                    4 SMART TV / XBOXES / WII etc

                                                                                                     TP-LINK WIRELESS ROUTER (Set in Bridge MODE) 

                                                                                                                                                    for wireless connections

APACHE Server is running on GW1 ... I'm now beggining to wonder if this might have been a mistake and maybe I should be moving it to another machine??

----------

## cboldt

You can run the router and webserver on the same machine, no sweat.

I'm going to check the other thread, but in case the info isn't there, do I have these parts correct:

gw1 is at 192.168.0.1, acts as DNS and webserver and router for 192.168.0/24

gw1 has a fixed IP due to /etc/conf.d/net (or whatever you use to bring the interface up)

gw2 and some other machines have a"quasi-fixed" IP address, assigned by dnsmasq running out of gw1

gw2 and some other machines start network interface using dhcp

Out of curiosity, how does the Bell modem connect to gw1?  USB?

----------

## cowboy0629

Correct for GW1...

there is 2 Ethernet Cards in GW1     ...    enp17s0 = 192.168.0.1 (internal network)

                                                                 enp0s25 = DYNAMIC IP (BELL MODEM) PPPOE

once GW1 connects to PPPOE the enp0s25 gets changed to ppp0

```

enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet6 fe80::52e5:49ff:fe71:c030  prefixlen 64  scopeid 0x20<link>

        ether 50:e5:49:71:c0:30  txqueuelen 1000  (Ethernet)

        RX packets 385534  bytes 544405091 (519.1 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 251237  bytes 22394440 (21.3 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 16  memory 0xfc800000-fc820000

enp17s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.0.1  netmask 255.255.255.0  broadcast 192.168.0.255

        inet6 fe80::32b5:c2ff:fe00:7efb  prefixlen 64  scopeid 0x20<link>

        ether 30:b5:c2:00:7e:fb  txqueuelen 1000  (Ethernet)

        RX packets 252865  bytes 20420397 (19.4 MiB)

        RX errors 0  dropped 7  overruns 0  frame 0

        TX packets 386310  bytes 539841345 (514.8 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 1  (Local Loopback)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1492

        inet 74.12.68.106  netmask 255.255.255.255  destination 10.11.3.121

        ppp  txqueuelen 3  (Point-to-Point Protocol)

        RX packets 385493  bytes 534379553 (509.6 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 251185  bytes 15860019 (15.1 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

Correct GW2 and other machines are connecting DHCP.. I was manual connecting them as STATIC got got tired of keeping track of all the machines phones tablets etc so I changed DNS to allow 20 DHCP LEASES for friends and family that come over etc..  been slowly adding all local devices to assign a static by mac address

Bell Modem connects enp0s25 ethernet

----------

## cboldt

Thanks for the details on network setup.

That suggested iptables setup above has a couple big mistakes in it.  The "-d ${LAN}" parameter will throw an error.

"-d" is "destination IP [address] or network [address]"  Your LAN is 192.168.0/24

"-i" is "interface [device]

Seeing as how you have two separate interface devices, the port opening firewall rules for gw1 (this is the only machine that has two interface devices) according to the example should be ...

```
# basic rules for accessing the internet and the server from your lan

iptables -A INPUT -i ${LAN} -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -i ${LAN} -p tcp --dport 80 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -j ACCPEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# start allowing access to ssh/http from outside

iptables -A INPUT -i ${WAN} -p tcp --dport 22 -m state --state NEW -j ACCEPT

iptables -A INPUT -i ${WAN} -p tcp --dport 80 -m state --state NEW -j ACCEPT
```

Those port rules assume you use port 22 for sshd, and also don't have an opening for https.

Also, gw1 is doing DNS for packets sent to IT (192.168.0.1), and is doing DHCP for the rest of the network, so it needs to open ports for those services to work.  DNS queries are sent to port 53 of a definite single IP address (the nameserver machine), DHCP is a little more complicated, but opening ports 67 and 68 get the job done.  DHCP is a little more complicated because the requesting machine, knowing ZERO about the network, broadcasts its request to 255.255.255.255.[/code]

----------

## gordonb3

The proper iptables rules to do this are:

```

iptables -t nat -A PREROUTING -p tcp -d ${WAN_IP} -s ${LAN_NET} --dport 80  -j DNAT --to-destination ${INTERNAL_IP}

iptables -t nat -A POSTROUTING -p tcp -d ${INTERNAL_IP} -s ${LAN_NET} --dport 80  -j MASQUERADE

```

Yes, this will require that you reload your firewall rules when the external IP changes. You can do this by adding a DHCP exit hook.

Alternative:

If you use dnsmasq as your internal DHCP and DNS server, you can make that include a secondary hosts file ('addn-hosts') in which you map your ddns names straight to the internal server.

----------

## bbgermany

 *cboldt wrote:*   

> Thanks for the details on network setup.
> 
> That suggested iptables setup above has a couple big mistakes in it.  The "-d ${LAN}" parameter will throw an error.
> 
> "-d" is "destination IP [address] or network [address]"  Your LAN is 192.168.0/24
> ...

 

Darn, thank you, you're right. I have overseen this as i wrote it (notice to myself: only do one thing at the same time...)  :Wink: 

greets, bb

----------

