Access public IP from NAT.

Lloyd Kvam lkvam at venix.com
Fri Jun 5 08:04:19 EDT 2020


My approach has been to provide the external names to dnsmasq so that the names are attached to
the correct IP address at home and away.

I'm using an IQrouter (runs openWRT) which makes this pretty painless to setup.

To be clear:
from outside my office on the net
   $ host www.venix.com
www.venix.com has address 68.238.56.186

from in my office (I'm using the 172.x.x.x private address space as a holdover from running
Lede and the buffer bloat software)

   $ host www.lan
www.lan has address 172.30.42.28

$ host www.venix.com
www.venix.com has address 172.30.42.28

That's not what you asked for, but it might fit your needs. With my openWRT based router, the
advanced menu provide Network / Hostnames which supplements the DHCP name/address resolution in
dnsmasq. You can figure out the setup on your RasPi to add the required host entries.

(For those hosts that need to be visible to the broader Internet, I use port forwarding through
the firewall.)

On Fri, 2020-06-05 at 00:16 -0400, Ken D'Ambrosio wrote:
> Hey, all.  So I finally yanked my Comcast modem ("for reasons," largely
> having to do with lack of static routes), and put in my own cable modem,
> a WAP, and a RasPi-4 that's doing routing/NAT.  It all works great. 
> But... I have services exposed that I want to access on the public IP. 
> It works *great* from out there, but if I try to access the public IP
> from my NATted network, no dice.  And, sadly, if there's one Linux place
> where there's a truck-sized hole in my knowledge, it's IP Tables.  I've
> googled the Interwebs to no avail on what magic IPTables stuff would be
> needed to make it work.  Here's my current script:
> 
> root at ubuntu:/usr/local/bin# cat start-NAT.sh 
> #!/bin/bash
> export PUBLIC=eth1
> export PRIVATE=eth0
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o $PUBLIC -j MASQUERADE
> iptables -A FORWARD -i $PUBLIC -o $PRIVATE -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i $PRIVATE -o $PUBLIC -j ACCEPT
> 
> =============================================================================================
> ========
> root at ubuntu:/usr/local/bin# cat start-port-forwarding.sh 
> #!/bin/bash
> 
> export PRIVATE=eth0
> export PRIV_IP=192.168.10.1
> export PUBLIC=eth1 
> export JELLYFIN=192.168.10.12 
> 
> iptables -A FORWARD -i $PUBLIC -o $PRIVATE -p tcp --syn --dport 8096 -m
> conntrack --ctstate NEW -j ACCEPT
> iptables -A FORWARD -i $PUBLIC -o $PRIVATE -m conntrack --ctstate
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $PRIVATE -o $PUBLIC -m conntrack --ctstate
> ESTABLISHED,RELATED -j ACCEPT
> iptables -P FORWARD DROP
> iptables -t nat -A PREROUTING -i $PUBLIC -p tcp --dport 8096 -j DNAT
> --to-destination $JELLYFIN
> iptables -t nat -A POSTROUTING -o $PRIVATE -p tcp --dport 8096 -d
> $JELLYFIN -j SNAT --to-source $PRIV_IP
> =============================================================================================
> ========
> If anyone could be kind enough to let me know what extra magic(tm) I
> need to employ to get at my public IP from inside, I'd be most
> interested to hear. 
> 
> Thanks! 
> 
> -Ken
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
-- 
Lloyd Kvam
5 Foliage View
Lebanon, NH 03766
802-448-0836




More information about the gnhlug-discuss mailing list