OpenWrt Forum Archive

Topic: Redirect web traffic to server on LAN

The content of this topic has been archived on 2 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
imrook
12 Dec 2009, 15:58

I am trying to configure my router to redirect all outgoing web traffic to a server on my LAN.  I have configured the server to listen on port 8080 and setup a rewrite rule so that all requests return a page.  I'm trying to configure the firewall to redirect the packets, but I'm a noob with iptables.  Here's the rule I'm trying to use:

iptables -t nat -A prerouting_lan -p tcp -s 192.168.1.251 --dport 80 -j DNAT --to-destinatio
n 192.168.1.100:8080

I think I'm just missing something simple due to a lack of understanding of netfilter.

My nat table is basically stock, except 3 ports forwarded from the wan.

root@OpenWrt:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
zone_wan_prerouting  all  --  anywhere             anywhere            
zone_lan_prerouting  all  --  anywhere             anywhere            
prerouting_rule  all  --  anywhere             anywhere            

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
postrouting_rule  all  --  anywhere             anywhere            
zone_wan_nat  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain postrouting_rule (1 references)
target     prot opt source               destination         

Chain prerouting_lan (1 references)
target     prot opt source               destination         
LOG        tcp  --  pyro.lan             anywhere            tcp dpt:80 LOG level warning 
LOG        tcp  --  pyro.lan             anywhere            tcp dpt:80 LOG level warning 

Chain prerouting_rule (1 references)
target     prot opt source               destination         

Chain prerouting_wan (1 references)
target     prot opt source               destination         

Chain zone_lan_nat (0 references)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            

Chain zone_lan_prerouting (1 references)
target     prot opt source               destination         
prerouting_lan  all  --  anywhere             anywhere            

Chain zone_wan_nat (1 references)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            

Chain zone_wan_prerouting (1 references)
target     prot opt source               destination         
prerouting_wan  all  --  anywhere             anywhere            
DNAT       tcp  --  anywhere             anywhere            tcp dpt:80 to:192.168.1.100:80 
DNAT       tcp  --  anywhere             anywhere            tcp dpt:443 to:192.168.1.100:443 
DNAT       tcp  --  anywhere             anywhere            tcp dpt:22 to:192.168.1.100:22
Post #2
ciscostu
13 Dec 2009, 05:44

Since the clients and the proxy server are on the same network, the return traffic (server->client) won't go through the router and won't get NAT'ed (i.e. your clients are talking an external IP and getting replies from 192.168.1.100).

To remedy this, try SNAT'ing traffic leaving the router destined for the server (via the POSTROUTING chain).  This will force the return traffic back through the router.  Something like-

iptables -t nat -A POSTROUTING -d 192.168.1.100 -j SNAT --to $ROUTER_LAN_IP

Hope this helps,
Charlie

Post #3
imrook
18 Dec 2009, 01:38

Thanks for the suggestion ciscostu but it didn't do the trick for me.  I think I have an even bigger problem than needing to SNAT.  A tcp dump running on 192.168.1.100 shows no inbound packets even though a logging rule added to the PREROUTING chain shows the packets are indeed being DNATed.  Just to check to make sure I wasn't insane, I tried using the REDIRECT target instead of DNAT:

iptables -t nat -A prerouting_lan -p tcp --dport 80 -j REDIRECT --to-ports 8080

I then fired up an additional httpd listening on 8080 on my WRT and it worked.  This leads me to believe that either something is wrong with my DNAT rule, or DNAT is not working properly in Kamikaze.

(Last edited by imrook on 18 Dec 2009, 01:38)

Post #4
cyrus_mc
18 Dec 2009, 06:29

http://wiki.openwrt.org/doc/uci/firewall

Not sure why everyone wants to use the iptables command for firewall stuff. Use what OpenWRT has built into it. I too believe you want a SNAT rule.

From reading the section in the link above about SNAT I believe you want to do something like this:

config redirect
        option src                 lan
        option dest               wan
        option src_port         80
        option dest_ip          your-web-server
        option dest_port       8080

May need to play around with the src_port, dest_ip, etc but hopefully something like that works.

Post #5
mrooveq
18 Dec 2009, 08:05
imrook wrote:

I tried using the REDIRECT target instead of DNAT:

Use REDIRECT and SNAT on redirected traffic.
You will be unable to identify lan client connected to your proxy, but it should work.

Just like imrook said, it's common problem. Run some sniffer on client machine in lan and see what happens with packets.
With just REDIRECT or just DNAT You should have SYN sent to router's IP, but SYN+ACK packet received from proxy server's IP, which obviously is dropped by client.

Post #6
imrook
21 Dec 2009, 16:34

@cyrus_mc:  I actually tried the firewall config first, but it didn't work.  I then decided to switch to using iptables directly so I could be sure what the rules were.  I just reviewed the documentation and tried again with the following config:

config redirect                              
        option src              lan              
        option proto            tcp          
        option src_dport        80           
        option dest_ip          192.168.1.100
        option dest_port        8080

Still no luck.  In my google searches, I also found the following: https://dev.openwrt.org/ticket/2558  I do believe something is fundamentally broken with netfilter in OpenWRT.  For the short term, I have simply setup a lighthttpd listening on 8080 on my WRT.  It achieves my immediate goal, but it is a bit disappointing to know that there is such a serious flaw in the "stable" OpenWRT release.

Post #7
mrooveq
21 Dec 2009, 16:58

Good option is to set proxy server in other network, but not necessarily phisically. Then outgoing traffic from LAN will be redirected to IP from other network (routed) and reply will also go through router. In that configuration you are able to see IPs of clients machines on proxy server.

config:

router's br-lan IPs: 192.168.0.1/24,
                     192.168.5.1/24
proxy's IPs: 192.168.0.10/24 (proxy is accessible also in usual way form LAN), 
             192.168.5.10/24 (and has IP from another network, so traffic must be routed by router)
LAN clients' IPs: 192.168.0.50-100/24

firewall rule: iptables -t nat -A prerouting_lan -p tcp -s 192.168.0.0/24 --dport 80 -j DNAT  --to 192.168.5.10:8080
Post #8
linuxb
21 Dec 2009, 21:42

imrook

Im trying to do something simular but simpler, I just want to open wan src port 80 and "redirect" it to the internal port 8080.
I have lighttpd listening to port 8080 and LuCi's webserver on the default port 80 for the internal network.

I have tried to do this with LuCi. But it seems that It dont work with a 'source_port' in 'rule'.

However messing around with LuCi's firewall, I managed to get it working.
The only thing is that both port 80 and 8080 is open from wan/internet.
Both displays the content on lighttpd.

From my internal network/lan LuCi's content is displayed on the default port 80, and Lighttpd's on port 8080.

This is my config:

config 'rule'
        option 'target' 'ACCEPT'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option '_name' 'Website'
        option 'dest_port' '8080'

config 'redirect'
        option 'proto' 'tcp'
        option '_name' 'Website'
        option 'src' 'wan'
        option 'src_dport' '80'
        option 'dest_port' '8080'
        option 'dest_ip' 'myroutersip'

Edit: added the missing  option 'dest_ip' 'myroutersip'

(Last edited by linuxb on 21 Dec 2009, 22:52)

Post #9
imrook
21 Dec 2009, 22:09

@mrooveq:  That's a good idea!  I'll try that out when I get home and post my results here.  I'm hoping that will work as lighthttpd is consuming almost 5M of mem on my WRT to serve a single static HTML page.

Post #10
mrooveq
21 Dec 2009, 23:32

@imrook: I tested that config some time ago. altough both - router and proxy - was running OpenBSD, it should work fine on linux boxes too.
but as I remember now, proxy must not have IP from LAN subnet, because route for that network is on-link, so traffic won't be routed if not SNATed by router. So you must decide - be able to log clients' IPs or easy access from LAN subnet to proxy machine.

putting it on different subnet isn't disturbing at all, for access by "network neighbourhood" from windows just run WINS on router or even on proxy and point it's address in DHCP parameter for clients. any other service is available just like it is in the same subnet as clients, traffic is routed by router.

The discussion might have continued from here.