Abhiram Singh Kushwah wrote: > Hi, > > >>>>>I'm trying to figure out how to properly log clients' ip addresses in >>>>>apache's access log. > > ---------------------------------------------- > --------------------------------------------- > >>>>This should not happen since you are changing the destination IP of the >>>>incoming requests and not the source IP. The only situation in which >>>>this can happen is when you have some SNAT rule which is changing the >>>>source IP of the requests to that of the firewall box. And most likely, >>>>you must be doing SNAT for the requests coming from your own LAN and >>>>changing their IP to the IP of the firewall box. So when the hosts in >>>>your LAN access the webserver through its public IP, all the requests >>>>get logged as coming from the firewall box. Just check your SNAT rules. > > >>>I'm not using any SNAT rules at my firewall. > > >>Do you have a proxy server running on the firewall box ? > > > See my network architecture as > > INTERNET > | > Firewall Box ( This box have 4 externel ips on one NIC and 1 private ip > 192.168.1.x on other NIC. I'm using iptables with DNAT here ) > | > | > |(IP 192.168.1.y) > Gateway/ProxyServer ( This box also have firewall iptables rules to > controlling LAN and DNAT for webserver) > (IP 192.168.2.X) > | > | > Switch-----------------LAN(192.168.2.0/24) > | > WebServer ( Problem is here, i'm getting firewall's ip 192.168.1.x in > apache's > access log entry for all incoming requests to webserver whereas i wanted > visitors' real ip) (IP 192.168.2.X) > > > Thanks and Regards, > Abhiram >
Are all the visitors for the webserver from the local LAN or from outside also ? What is the IP address used by the visitors from the local LAN to access the web server ? Lets say the webserver is on the IP address 192.168.2.w and your internal clients try to access the web server using this address. In such a scenario, the incoming requests will be logged from their own IPs (192.168.2.n) if they dont go through the proxy server and from the IP of the proxy server if they go through the proxy server. There is no reason why the firewall box's IP 192.168.1.x should be logged in the visitor log. Now assuming that the web server is accessed using the Public IP A.B.C.D which is assigned to one of the external interfaces on your firewall box and you have an external visitor. In such a case, the incoming requests will first hit your firewall box on the interface having the address A.B.C.D and then DNAT rules will send them to Gateway / Proxy Server and then the requests should get forwarded to the web server. In such a case, the access log will record the visitor's IP address as the real IP address unless and until you have SNAT happening at the firewall box where source IP address is changed to 192.168.1.x, so you need the check the firewall rules there. Can you send the output of iptables -L iptables -t nat -L at both the gateways ? The same logic will apply when an internal visitor tries to access the web server using the public IP A.B.C.D. -- Manish _______________________________________________ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/