This article describes a simple solution we came up with to for what must be a common problem for anyone hosting a website on a local network or at a hosting centre with a 1:1 NAT (Network Address Translation) or similar firewall.
What is a Private Network?
As well as the public IP addresses that we use every day (yours is 18.104.22.168 and ours 22.214.171.124) the RFC1918 specification cleverly allows for a number of private networks of various sizes:
|RFC1918 name||IP address range||number of addresses|
|24-bit block||10.0.0.0 – 10.255.255.255||16,777,216|
|20-bit block||172.16.0.0 – 172.31.255.255||1,048,576|
|16-bit block||192.168.0.0 – 192.168.255.255||65,536|
Many home users will be familiar with the 16-bit block range as a means for accessing the router control panel or talking to other devices in the local network.
The best way to get static IP on public place is using VPN, but still that wouldn’t be free as they keep logs and sell your data to companies or hackers for money. If you frequently travel outside and stay on public places for any reason better to use paid vpn and affordable cost to. A simple public IP address API that shows both IPv4 and IPv6 either separately or together. It can be setup in seconds inside your favorite language.
While everyone inside the local network can use these addresses they are not visible to the outside world. When someone else opens 192.168.0.1 they will see their router and not yours. The outside world can only see the public IP address that has been assigned to your Internet connection.
Description of the problem
From inside the private network each server or device is known only by it's private IP address and is always referenced using that address. Internal IP addresses are either assigned manually, or dynamically by the router using DHCP (Dynamic Host Configuration Protocol).
With a 1:1 NAT firewall setup, requests from outside the network are translated into requests for a local address. For example, a public IP address 204.8.XXX.6 might be converted to a local address 10.30.XXX.6, 204.8.XXX.7 mapped to 10.30.XXX.7 and so on.
A consequence of this is that from a server inside the network it's no longer possible to access the public IP address. So any HTTP requests for locally hosted websites will fail because a DNS lookup will return the public address which is unreachable.
This makes it very difficult to run a search spider over hosted websites or to trigger scripts using programs such as wget or cURL.
If you are hosting only a small number of domains then you can set up a local DNS server (BIND) mapping those domains to local IP addresses. You could also achieve this by editing /etc/hosts.
For a large number of domains, however, this is not really an option as it means twice as much work every time the DNS is updated.
Using NAT tables to get around a NAT firewall
Sure enough there's a simpler solution using iptables. We know that a request from the server itself (telnet, web browser or web spider for example) can't reach the external IP address, but that the same request using the internal address will get through.
Using the right routing rules we can translate those requests and it should all just work. After some experimentation what we came up with was the following rules and added them to the firewall script which runs on startup:
#!/bin/shIPTABLES='/sbin/iptables'$IPTABLES -t nat -A OUTPUT -d 204.8.XXX.6 -s 10.30.XXX.0/XX -j DNAT --to-destination 10.30.XXX.6$IPTABLES -t nat -A OUTPUT -d 204.8.XXX.7 -s 10.30.XXX.0/XX -j DNAT --to-destination 10.30.XXX.7...
(to see what was going we used the LOG option in iptables to monitor requests from the server ip address in each of the NAT chains. In this case requests appeared only in the OUTPUT chain and not in PREROUTING or POSTROUTING as they would for a router)
The above rules intercept any requests from our server (subnet 10.30.XXX.0/XX) directed at our public IP addresses, which would normally drop out or fail, and translates them into requests for the appropriate local IP address.
So an HTTP/1.1 request for www.the-art-of-web.com (204.8.XXX.6) is translated into a request for www.the-art-of-web.com (10.30.XXX.6) meaning that the server can handle it itself. You will need a separate rule for each external/internal address pair.
Essentially what we're doing is replicating the actions taken by the NAT firewall for external requests, only we're doing it for internal requests.
These rules are to allow a server behind a NAT firewall to make requests to itself using the public IP addresses. For router configuration you need to use a combination of DNAT, SNAT and Masquerading and there are loads of examples online.
Send a message to The Art of Web:
press <Esc> or click outside this box to close
User CommentsPost your comment or question
These instructions are on how to find out the external or internet IP address for a Unifi AP Access Point which is connected to a Unifi Controller in a remote site without a USG as it doesn’t show this information in the Unifi Controller itself.
From the Unifi Controller click on the Unifi AP
Click on tools in the right hand pane then under Debug Terminal click on Open Terminal
Type the following in to the Terminal Windows that Opens
How To Get Public Ip From Private Ip In Python
The Internet / External IP address is returned