Accessing a website via the webservers public IP from a PC within the same LAN

ip nat router loopback

Here is an example. Some routers, like the Neufbox4 (a router provided by a french ISP) are running Linux. On these routers the program "iptables" is used to configure NAT behavior (iptables is some sort of swiss-army knife for Linux networking).

Suppose you have a webserver (port TCP 80) behind your router listening on LAN address 192.168.0.2 and you add a port mapping (redirection) for it. This translates to something like this in iptables's terms:

iptables -t nat -A PREROUTING -i wan -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2

This means "for every packet that comes in through the WAN interface directed at TCP port 80, send it to 192.168.0.2". Which is exactly what you want. All is fine... for now.

You have to understand that the IP address associated with the WAN interface of the router is your public Internet address. For example, if your Internet IP is 1.2.3.4, then the "wan" interface on the router has IP address 1.2.3.4.

Now suppose you're trying to access your webserver from your LAN, say from your personal computer at address 192.168.0.3, using your own Internet address. So for example, you type "http://1.2.3.4/" in your browser.

What happens is that your computer will send a packet directed to 1.2.3.4, TCP port 80, on the LAN. The router will receive this packet. But it will not redirect it to 192.168.0.2. Why? Because the iptables rule above only deals with packets coming in on the WAN interface, not from the LAN!

So what will happen then? Well, it depends on other networking rules on the router. Generally speaking one of two things will happen:

  • Either the router will see a packet directed at itself (remember, 1.2.3.4 is one of the IP addresses of the router, so this is perfectly normal). On most routers there is a web server listening on port 80 for the administration interface. Consequently, this webserver will handle the packet, not the webserver on your LAN, and you get the administration interface instead of your website.

  • Or the router will drop the packet for some reason, simply because it doesn't know how to handle a packet directed at its WAN address on its LAN port.

Technically, the solution is very simple, it consists in a iptables rule of the form:

iptables -t nat -A PREROUTING -i lan -d 1.2.3.4 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2

This means "for every packet that comes in through the LAN interface directed at TCP port 80, AND with a destination address of 1.2.3.4, send it to 192.168.0.2". This is what you would call "NAT loopback".

However, most router manufacturers are obviously not aware of the issue and didn't put this rule (or the equivalent in the router proprietary system) into their product...

Related

How to install Windows 7 x64 on GPT?
some keyboard keys not working properly
Keeping up to date with updates? [closed]
Firefox on Mac: Slow, slow, slow
Windows 8 Upgrade Failed - No Error Info
Extracting Data Between two Characters in Excel
3-4 old computers = general purpose cluster?
Changing hard disk with ssd, can I migrate contents so that I can switch drives without a hassle?
How do you write an Excel formula that will paste a specific value in a different cell?
How to add item to right-click menu when NOT selecting a folder or file? [duplicate]
How do I extend the size of an NTFS partition?
Is it safe to operate a laptop without battery?