Re: Invalid httpd logs with port forwarding
Bonjour Dominic,
Dominic Duval écrivait :
> Simply put, is there a way to do port forwarding without having the
> source address modified?
Do you mean routing? ;-)
> Here is the problem: I'm using the following rules to forward port 80
> trafic to a HTTP server behind a firewall:
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -d 66.46.180.200 -j DNAT
> --to-destination 192.168.1.200:80
> iptables -A FORWARD -p tcp --dport 80 -d 192.168.1.200 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
It sounds good to me.
> The port forwarding works just fine, but all log entries on the HTTP
> server show the same source address, which is the local address of the
> firewall (192.168.1.4). I'd like the logs to show the real IP address of
> the client from which the connection originates.
>
> Any help, pointer or suggestion would be appreciated.
You should check your SNAT rules: source address is usualy changed by some
SNAT rule and not by DNAT rules that only change the destination addresses.
I guess you have some SNAT rule that doesn't check for the outgoing
interface, since it's a common mistake... :)
Check you are using something like this:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT \
--to-source 66.46.180.200
Bonne "route", J.C. :)
--
Jean Christophe ANDRÉ <jean-christophe.andre@auf.org> http://www.vn.refer.org/
Coordonnateur technique régional / Associé technologie projet Reflets
Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP)
Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam
Tél. : +84 4 9331108 Fax : +84 4 8247383 Mobile : +84 91 3248747
/ Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint ou \
\ Word ; voir ici : http://www.fsf.org/philosophy/no-word-attachments.fr.html /
Reply to: