* Transparent gateway
@ 2004-11-18 10:56 Mattia Martinello
2004-11-18 13:41 ` Jason Opperisano
0 siblings, 1 reply; 4+ messages in thread
From: Mattia Martinello @ 2004-11-18 10:56 UTC (permalink / raw)
To: Netfilter ML
Hi,
I'm using a netfilter gateway between my LAN and the server on the DMZ.
This gateway makes a DNAT from 192.168.1.* to the external IP of the
server on the DMZ.
Then, if I call http://[my external IP], the gateway makes a DNAT to
http://192.168.20.x (the internal DMZ IP of the server), through the
192.168.20.254 interface.
The problem is that when I call Apache on the server, Apache thinks that
I am 192.168.20.254, not 192.168.1.x.
So, in the access logs the connection is made from the DMZ interface of
the gateway and not from the real IP address of the client.
This make me some real problems about client autentication.
How I can I get my gateway transparent and solve this problem to let
Apache to write the correct IP address of the client in the logs?
Thank you very much
Bye
Mattia.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Transparent gateway
2004-11-18 10:56 Transparent gateway Mattia Martinello
@ 2004-11-18 13:41 ` Jason Opperisano
2004-11-18 13:56 ` Mattia Martinello
0 siblings, 1 reply; 4+ messages in thread
From: Jason Opperisano @ 2004-11-18 13:41 UTC (permalink / raw)
To: netfilter
On Thu, 2004-11-18 at 05:56, Mattia Martinello wrote:
> Hi,
>
> I'm using a netfilter gateway between my LAN and the server on the DMZ.
> This gateway makes a DNAT from 192.168.1.* to the external IP of the
> server on the DMZ.
why?
> Then, if I call http://[my external IP], the gateway makes a DNAT to
> http://192.168.20.x (the internal DMZ IP of the server), through the
> 192.168.20.254 interface.
because you told it to...
> The problem is that when I call Apache on the server, Apache thinks that
> I am 192.168.20.254, not 192.168.1.x.
> So, in the access logs the connection is made from the DMZ interface of
> the gateway and not from the real IP address of the client.
> This make me some real problems about client autentication.
>
> How I can I get my gateway transparent and solve this problem to let
> Apache to write the correct IP address of the client in the logs?
don't NAT traffic from your LAN to your DMZ. if clients inside the LAN
are requesting the public IP of the DMZ server and not it's actual DMZ
IP, you'll need something along the lines of:
iptables -t nat -A PREROUTING -i ${INSIDE_IF} -s ${INSIDE_NET} \
-d ${WEBSRV_PUB_IP} -j DNAT --to-destination ${WEB_SRV_DMZ_IP}
and make sure your outbound SNAT/MASQ for the internal net specifies the
external interface:
iptables -t nat -A POSTROUTING -o ${OUTSIDE_IF} -s ${INSIDE_NET} \
-j SNAT --to-source ${OUTSIDE_IP}
other than that--you haven't provided near enough information to answer
your questions (hint: post your rules [1])
-j
[1] iptables -t mangle -vnxL && iptables -t nat -vnxL && iptables -vnxL
--
"You must be the man who didn't know whether it was a blister or
a boil.
It was a gummi bear."
--The Simpsons
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Transparent gateway
2004-11-18 13:41 ` Jason Opperisano
@ 2004-11-18 13:56 ` Mattia Martinello
2004-11-18 14:17 ` Jason Opperisano
0 siblings, 1 reply; 4+ messages in thread
From: Mattia Martinello @ 2004-11-18 13:56 UTC (permalink / raw)
To: Jason Opperisano; +Cc: netfilter
> why?
Beacuse I want to call from my LAN the server using its public IP address.
> because you told it to...
Can't I solve this problem?
> don't NAT traffic from your LAN to your DMZ. if clients inside the LAN
> are requesting the public IP of the DMZ server and not it's actual DMZ
> IP, you'll need something along the lines of:
See above... I always want to call the server using its public IP address.
> other than that--you haven't provided near enough information to answer
> your questions (hint: post your rules [1])
This is my simple script:
#!/bin/sh
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j
MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j
MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth2 -j
MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o ppp0 -j
MASQUERADE
iptables -t nat -A PREROUTING -s 0.0.0.0/0 -d $EXTERNAL_IP -j DNAT --to
192.168.2.99
So all trafic to the external server IP seems to come from
192.168.2.254. How I can avoid this?
Thank you very much!
Bye
Mattia.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Transparent gateway
2004-11-18 13:56 ` Mattia Martinello
@ 2004-11-18 14:17 ` Jason Opperisano
0 siblings, 0 replies; 4+ messages in thread
From: Jason Opperisano @ 2004-11-18 14:17 UTC (permalink / raw)
To: netfilter
On Thu, 2004-11-18 at 08:56, Mattia Martinello wrote:
> > why?
>
> Beacuse I want to call from my LAN the server using its public IP address.
which has nothing to do with SNAT-ing your internal LAN.
> > because you told it to...
>
> Can't I solve this problem?
>
> > don't NAT traffic from your LAN to your DMZ. if clients inside the LAN
> > are requesting the public IP of the DMZ server and not it's actual DMZ
> > IP, you'll need something along the lines of:
>
> See above... I always want to call the server using its public IP address.
you need a DNAT rule that translates requests from your internal LAN to
the public IP of DMZ server to the DMZ IP of DMZ server.
> > other than that--you haven't provided near enough information to answer
> > your questions (hint: post your rules [1])
>
> This is my simple script:
>
>
> #!/bin/sh
>
> modprobe iptable_nat
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
>
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD
> iptables -t nat -F POSTROUTING
> iptables -t nat -F PREROUTING
> iptables -t nat -F OUTPUT
>
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -P OUTPUT ACCEPT
>
> iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j
> MASQUERADE
> iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j
> MASQUERADE
> iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth2 -j
> MASQUERADE
> iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o ppp0 -j
> MASQUERADE
>
> iptables -t nat -A PREROUTING -s 0.0.0.0/0 -d $EXTERNAL_IP -j DNAT --to
> 192.168.2.99
assuming ppp0 is your external interface--delete both "-o ethX" MASQ
rules. your are excessively NAT-ing for no good reason. the DNAT rule
you have will translate requests from the internal LAN to $EXTERNAL_IP
to 192.168.2.99 for you.
> So all trafic to the external server IP seems to come from
> 192.168.2.254. How I can avoid this?
-j
--
"Default! The two sweetest words in the English language!"
--The Simpsons
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-11-18 14:17 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-18 10:56 Transparent gateway Mattia Martinello
2004-11-18 13:41 ` Jason Opperisano
2004-11-18 13:56 ` Mattia Martinello
2004-11-18 14:17 ` Jason Opperisano
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.