Abhiram Singh Kushwah wrote: >>>WebServer ( Problem is here, i'm getting firewall's ip 192.168.1.x in >>>apache's access log entry for all incoming requests to webserver whereas >>>i wanted visitors' real ip) > > >>Are all the visitors for the webserver from the local LAN or from >>outside also ? What is the IP address used by the visitors from the >>local LAN to access the web server ? > > -----------------<snip>----------------- > >>Now assuming that the web server is accessed using the Public IP A.B.C.D >>which is assigned to one of the external interfaces on your firewall box >>and you have an external visitor. In such a case, the incoming requests >>will first hit your firewall box on the interface having the address >>A.B.C.D and then DNAT rules will send them to Gateway / Proxy Server and >>then the requests should get forwarded to the web server. In such a >>case, the access log will record the visitor's IP address as the real IP >>address unless and until you have SNAT happening at the firewall box >>where source IP address is changed to 192.168.1.x, so you need the check >>the firewall rules there. Can you send the output of >> >>iptables -L >>iptables -t nat -L >> >>at both the gateways ? >> >>The same logic will apply when an internal visitor tries to access the >>web server using the public IP A.B.C.D. > > > All the visitors are from the both LAN and outside LAN. All visitors visit my > webserver as http://www.mydomain.com and for all visitors' ip loged in apache > always as 192.168.1.x. I'm not using any SNAT rules on both firewall and > gateway using only DNAT. > > On Firewall, > iptables -A PREROUTING -t nat -j DNAT -p tcp -d MYPUBLIC_IP --dport 80 > --to 192.168.1.w:80 > > On Gateway/ProxyServer > iptables -A PREROUTING -t nat -j DNAT -p tcp -d 192.168.1.w --dport 80 > --to 192.168.2.w:80
The only logical reason which came to my mind was existence of some SNAT rule at the firewall box, which you have ruled out. Could there be some side effect of multiple port forwarding using 2 DNAT rules ;-) ? I think you can post your problem on the netfilter mailing list. For the time being, if you put your webserver right after the first firewall box and give it an IP address 192.168.1.W and use the DNAT rule on firewall box to direct traffic to it, it should solve your problem. Why do you have two levels of firewalling ? -- Manish http://www.tuxspace.com/ _______________________________________________ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
