Need help with iptables for non-router pixelserv

[pdc]

I am in the process of moving from a Diversion setup on the router to a Raspberry-pi based pi-hole setup. (If you're wondering why, my goal is to allow family members to access/view/update whitelists using a general web UI).

In conjunction with this I'd like to run a pixelserv-tls on the Raspberry Pi as well. I understand it is sort of abandonedware at this point, but I'd like to get this working before I decide whether to continue using it or not. I have pixelserv-tls running on the pi okay (https://github.com/jumpsmm7/pixelserv-tls_2.3.1-1_armhf.deb if you are curious).

Now for the challenges. The Raspberry pi already has a web server for a variety of services, so I can't just use port 80/443. Instead I'd like to use an approach with a separate IP address, similar to Diversion.

First I created a new IP address for the raspberry pi using ifconfig eth0 xx.xx.xx.4/24 up where xx.xx.xx is my local network (the pi is xx.xx.xx.3). I ran ifconfig on the pi, not the router, if that matters.

So now the pi has two IP addresses on eth0, but this has caused a number of issues, since it seems the web server (nginx) is claiming ports on both interfaces, as are other services (e.g. nmbd/smbd).

Now, I can run the pixelserv to listen on the second IP address using different ports (e.g. 33080/33443). Using this approach I can get e.g. servstats output, but only if I use the different ports, ports 80/443 are still being claimed by the web server.

Based on some research I've done, I thought I could use iptables to redirect traffic from xx.xx.xx.4 port 80/443 to the different ports (bypassing the web server). I ran these commands on the router :

iptables -t nat -A PREROUTING -i br0 -p tcp -d xx.xx.xx.4 --dport 80 -j REDIRECT --to-port 33080
iptables -t nat -A PREROUTING -i br0 -p tcp -d xx.xx.xx.4 --dport 443 -j REDIRECT --to-port 33443

However, this does not seem to be working, if I browse to xx.xx.xx.4 port 80 or 443, I still get the web server and not the pixelserv. Likewise if I run the iptables command on the raspberry pi on eth0.

I am starting to wonder if iptables is really the right answer for an address within the router intra-net.

What I need is some way that the pixelserv can handle its own IP address (and ports 80, 443) without interference from the "main" raspi IP address.

Any advice or suggestions?

Thanks!

 

[dave14305]

Will the Pi-Hole be able to answer blocked queries with the pixelserv IP instead of 0.0.0.0? I see in the Pi-Hole docs that it can return the IP of the Pi-Hole itself, if configured manually to do so.

LAN-to-LAN traffic won't be subjected to iptables routing at all, so that's why it doesn't work with iptables.

 

[pdc]

Will the Pi-Hole be able to answer blocked queries with the pixelserv IP instead of 0.0.0.0? I see in the Pi-Hole docs that it can return the IP of the Pi-Hole itself, if configured manually to do so.

Even better, the latest pi-hole (FTL) can be configured to return an arbitrary IP (BLOCKINGMODE=IP-NODATA-AAAA and REPLY_ADDR4=xx.xx.xx.xx). The docs haven't been updated yet, but the release notes mention this.

LAN-to-LAN traffic won't be subjected to iptables routing at all, so that's why it doesn't work with iptables.

Okay, that certainly explains what I'm seeing.

Any ideas for what I could do to allow pixelserv to handle ports 80,443 on an arbitrary IP without interfering with other ports and services on the pi? I'm guessing part of my problem is adding an IP to the main network interface means that any service that listens on that interface gets both IPs. Is there a way to add a "virtual" interface that only pixelserv would listen on?

Does anyone know how Diversion manages to have pixelserv and the Asus Web UI co-exist? That's what I'm looking for, and it has been much harder than I expected...

Thanks!

 

[ColinTaylor]

Does anyone know how Diversion manages to have pixelserv and the Asus Web UI co-exist?

Diversion create another virtual interface with its own IP address. pixelserv binds only to this address and Diversion redirects clients to it.

 

[dave14305]

Does anyone know how Diversion manages to have pixelserv and the Asus Web UI co-exist? That's what I'm looking for, and it has been much harder than I expected...

The router httpd server only listens on the br0 interface, so it’s no problem for pixelserv to listen on br0:pixelserv-tls. You need to see if there’s a way to stop nginx from listening on all interfaces. Or keep Pixelserv on the router but have the pi-hole do the ad-blocking.

 

[pdc]

I don't know how many times I saw br0:pixelserv-tls without realizing that was different from just br0.

The info I found says it's not possible to bind nginx to an interface because nginx has no concept of layer2/3. Instead, to stop nginx from listening on all interfaces I carved out some IP space for it to listen to explicitly. What seems to work is to limit nginx to listening on xx.xx.xx.0 (my local network) and put pixelserv outside that range, i.e. xx.xx.yy.zz (my obfuscation scheme is breaking down ). I am using the 10.0.0.0 range, so lots of options.

So far so good.... Thanks for the help!