[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Invalid httpd logs with port forwarding



	Bonjour Dominic,

Dominic Duval écrivait :
> Simply put, is there a way to do port forwarding without having the
> source address modified?

Do you mean routing? ;-)

> Here is the problem: I'm using the following rules to forward port 80
> trafic to a HTTP server behind a firewall:
> 
> iptables -t nat -A PREROUTING -p tcp --dport 80 -d 66.46.180.200 -j DNAT
> --to-destination 192.168.1.200:80
> iptables -A FORWARD -p tcp --dport 80 -d 192.168.1.200 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT

It sounds good to me.

> The port forwarding works just fine, but all log entries on the HTTP
> server show the same source address, which is the local address of the
> firewall (192.168.1.4). I'd like the logs to show the real IP address of
> the client from which the connection originates.
> 
> Any help, pointer or suggestion would be appreciated.

You should check your SNAT rules: source address is usualy changed by some
SNAT rule and not by DNAT rules that only change the destination addresses.

I guess you have some SNAT rule that doesn't check for the outgoing
interface, since it's a common mistake... :)

Check you are using something like this:
  iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT \
           --to-source 66.46.180.200

Bonne "route", J.C. :)
-- 
Jean Christophe ANDRÉ <jean-christophe.andre@auf.org> http://www.vn.refer.org/
Coordonnateur technique régional / Associé technologie projet Reflets
Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP)
Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam
Tél. : +84 4 9331108   Fax : +84 4 8247383   Mobile : +84 91 3248747
/ Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint ou   \
\ Word ; voir ici : http://www.fsf.org/philosophy/no-word-attachments.fr.html /



Reply to: