2

I hope it is not too weird question. I'm running a web service on an IIS server which can be accessed either from internal network or from external (i.e Internet) by port forwarding.

External: For example, if I connect to my server from the internet with http://my_public_domain_name than the firewall will forward port 80 to my server.

Internal: Assuming my server has the ip 10.50.1.1 in the local network and my PC is in 10.60.1.1 (same itranet, different subnets) than I can access it by http://10.50.1.1.

When I get the request in the IIS (ASP.NET) I need to know whether the request was forwarded by the firewall or was it arrived internally.

Thanks.

Lior Ohana
  • 3,467
  • 4
  • 34
  • 49
  • Have you considered the "X-Forwarded-For" HTTP header ? I think if it is empty, or if it is equal to client IP, request should be internal – jbl Apr 19 '12 at 09:27
  • The problem with the X-Forwarded-For is that not all routers/firewalls implement it. – Lior Ohana Apr 20 '12 at 05:35

1 Answers1

4

In a Servlet once, I wanted to have admin access from LAN only, so I took the internal IP range I was using, and created a simple rule for loggin in as admin that checked to see that my IP was in that range.

In Java, I used HttpServletRequest.getRemoteAddr() and getRemoteHost().

Looking in this page http://www.geekpedia.com/tutorial45_How-to-get-IP-address-of-client.html, it looks like the ASP equivalent is:

Request.ServerVariables("REMOTE_ADDR")

And something like this page would help you determine if it is a private (internal) IP range or not: https://en.wikipedia.org/wiki/Private_network (not sure if it is helpful for the IPv6 IPs)

Peter
  • 3,067
  • 2
  • 17
  • 18
  • Thanks. I've already looked into the request variables, but the problem is that I don't know the internal networks range. For example, internal client can be 10.60.1.1 or 10.60.1.2 or even something like 172.25.4.1 if connected via VPN to internal network. – Lior Ohana Apr 19 '12 at 09:05
  • 1
    Right, that is why I linked that wikipedia page. It has the private IP ranges listed. If you check the remote IP against all of the ranges, then nobody from outside would match one of them (except spoofing, but that is a different topic). 10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255 – Peter Apr 19 '12 at 10:03
  • Do you also want the VPN ones to be considered external? You would have no way of knowing they went through the gateway except by knowing their range. – Peter Apr 19 '12 at 10:06
  • I rather no rely on specific IP ranges but maybe I have no other option. As for VPN, I want to count it as internal. 10x – Lior Ohana Apr 20 '12 at 05:34