OpenWrt Forum Archive

Topic: Need help forwarding from LAN -> WAN ip address should go to DMZ host

The content of this topic has been archived on 18 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
dburr
31 Aug 2005, 00:24

The default behavior of Linksys firmware is that if the router receives a request destined for the WAN IP, but from within the LAN, then it gets forwarded to the DMZ host.  nfortunately OpenWRT doesn't do this out of the box, and I'd like to set it up so that it does.  Let me give you a practical example.

I have a static IP provided to me by my DSL provider, let's call it "EXTIP" for short.  I run various servers (web, mail, chat, etc.) on one of my Linux machines *inside* the LAN -- let's say its IP address is "DMZHOST" for short.  And, as the above name implies, I had that box's IP address entered into the "DMZ Host" part of the Linksys firmware.

So, let's say J. Random Hacker, somewhere out there on the Internet, wants to view a web page on my server.  He browses to http://www.mydomain.com/, which resolves to EXTIP.  His machine then tries contacting EXTIP and the WRT54GS "answers."  It immediately discerns that this request should get forwarded to DMZHOST, and so it does.  Hacker gets his web page, and the world is happy.

Now, let's say someone who's on a laptop on my *internal* LAN goes to browse one of my web pages.  He can browse directly to its IP address (e.g. "http://DMZHOST/") and it works fine.  But what if he tries to use the "real" domain name, www.mydomain.com?  Well, he types that into his browser, and DNS resolves it to EXTIP.  So his laptop tries contacting EXTIP.  The LInksys box picks this up and says "Hey wait a minute, *I'm* EXTIP."  The way each firmware handles this special case is where I am having the problem.

In the case of the Linksys firmware, the router says "Ah, I have a DMZ host, might as well pass that request along" and hands it over to DMZHOST, which responds and fulfills the request.  But with OpenWRT, the WRT54GS *itself* tries to handle this request.

The practical upshot of all this is that, when I was running the old Linksys firmware, anyone, whether they be on or off my internal LAN, can browse to http://www.mydomain.com/ and get my not-really-that-lovely web page.  Now, with OpenWRT, people on the *outside* can see it just fine, but people *inside* the LAN get the weird small thttpd server that runs on the WRT itself.

I'm sorry if this sounds long-winded, but this is the only way I know of describing this problem.  I'm not too familiar with the whole concept of iptables, firewalls, port forwarding, etc. and I don't know all the "lingo."

I am using the default OpenWRT configuration, with the only change being that I enabled the following lines in /etc/firewall.user to set up the DMZ:

### DMZ (should be placed after port forwarding / accept rules)
iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to DMZHOST
iptables        -A forwarding_rule -i $WAN -d DMZHOST -j ACCEPT

I did not see this question in the FAQ or documentation, nor did I find anything when searching the forum archives.  (although  the fact that I am not too familiar with the lingo and how to describe my problem propbably hampered my search keyword effectiveness.)

Any and all help greatly appreciated.  Thanks!
Donald

Post #2
Void Main
31 Aug 2005, 01:45

You can disable the web server on the WRT and set up iptables rules that will allow your inside machines to hit your outside (WAN) address and have the traffic automatically forwarded to your web server. Now, I don't really like the term DMZ unless the machine(s) in the DMZ are on a separate subnet and separated from the LAN devices  at the layer 2 level and are in a completely separate security zone.  I used to run a dedicated Linux box with 3 NICs to do this. I just recently switched over to one of my WRT54G boxes. I took port 4 and put it in it's own VLAN and assigned it an IP address in it's own subnet and connect my DMZ machines to that port. This  effectively gives me the 3 interfaces I need (WAN, LAN, and DMZ). I run the Shorewall firewall (nothing more than a wrapper for iptables) on my WRT, which I also previously ran on my dedicated Linux firewall box so all I had to do was basically copy my rules from the old firewall to the WRT. Here's the thread where I did that:

http://forum.openwrt.org/viewtopic.php?id=2438

The Shorewall rules will not do you any good unless you happen to use Shorewall but here are the ones that forward LAN devices to your DMZ machine through your WAN interface:

DNAT     net            dmz:172.16.214.5  tcp   80      -          $NET_IP
DNAT     loc            dmz:172.16.214.5  tcp   80      -          $NET_IP
DNAT     fw             dmz:172.16.214.5  tcp   80      -          $NET_IP

Where "NET_IP" is the IP address of the WAN interface and 172.16.214.5 is the IP address assigned to your server in your DMZ. Sorry I don't know the iptables rules off the top of my head and not knowing for sure I don't want to mess you up. Someone will surely have the answer. The above Shoreline rules forward web traffic through the WAN interface to the DMZ machine when coming in from the Internet, from the LAN or from the firewall itself. That way all machines hit the public (WAN) address and no special DNS magic is required.

The discussion might have continued from here.