Re: Iptables with NAT question 
--On 11 November 2002 19:03 -0600 Ian Melnick
I set up machine #1 to act as just a packet filtering machine, and
machine #2 to run apache. Machine #1 forwards all port 80 requests to
machine #2. Whenever I look at the apache access logs, the only IP that
shows up is that of the firewall's. Although people can get to the site
this way, I can't analyze where my traffic is coming from, etc. How do I
set it up so that the IP of the actual user shows up in my logs?
The thing I'm unclear with the above is, do you have two seperate LANS, or
just the one? I assume two, but don't know... read on for more :)
Someone in #debian told me that I shouldn't NAT the external addresses.
I don't know what that means. These are the two lines that do the
operation in question:
iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED -p
tcp -s 0.0.0.0/0 -d 192.168.1.1 --dport 80 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d 192.168.1.1 --dport 80 -j DNAT
I just use this:
iptables -t nat -A PREROUTING -i eth0 -p tcp -d <real IP on firewall>
--dport 80 -j DNAT --to <server1>
iptables -A FORWARD -p TCP -i eth0 -d <server1> --dport 80 -j allowed
I don't have an INPUT line because as far as I am aware I don't need INPUT,
because the packets aren't going to the firewall itself, hence I need
FORWARD. Take what I say with a pinch of salt though, because I'm just an
iptables user, not an expert. This is also why I brought up the point of
whether you have two seperate lans or not (INPUT or FORWARD chains).
I'll try to illustrate my network setup with some bad ascii art:
ADSL LAN with public IPS
[firewall] (with ethernet "aliases" of the real IPs)
[server1] [server2] [server3] (these are in 10.1.1.0/24 range)
I hope that helps.
ps. I've not yet looked at your rules attachment in your second mail.