[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Iptables with NAT question [2]


I sent this note to the debian-user list the other day, and then realized
this would probably be a more appropriate list. Sorry if you're getting
it twice, but since I recieved no responses on the other one, I figured
people were ignoring it since it probably shouldn't have been there.

I set up machine #1 to act as just a packet filtering machine, and
machine #2 to run apache. Machine #1 forwards all port 80 requests to
machine #2. Whenever I look at the apache access logs, the only IP that
shows up is that of the firewall's. Although people can get to the site
this way, I can't analyze where my traffic is coming from, etc. How do I
set it up so that the IP of the actual user shows up in my logs?

Someone in #debian told me that I shouldn't NAT the external addresses.
I don't know what that means. These are the two lines that do the
operation in question:

iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED -p
tcp -s -d --dport 80 -j ACCEPT

iptables -A PREROUTING -t nat -p tcp -d --dport 80 -j DNAT

Thanks in advance!

The dismantled, half-destroyed Dazed Yugo,
amongst the bloody windshields of brothers,
dares not make lamentations audible.
"Maybe I'll become a Lexus," it hopes.

Reply to: