* Using iptables to anonymize incoming IP addresses
@ 2009-09-30 14:14 andy thomas
2009-09-30 14:45 ` Richard Horton
2009-09-30 18:38 ` Leonardo Rodrigues
0 siblings, 2 replies; 4+ messages in thread
From: andy thomas @ 2009-09-30 14:14 UTC (permalink / raw)
To: netfilter
I would like to set up a Linux router with two NICs, one connected to the
public Internet and the other NIC having the IP address 192.168.1.1
connected to a private 192.1.68.1.0/24 network. The routing would be
arranged so that all incoming packets from the public network with TCP
port 80 (ie, web traffic) are forwarded to a webserver on the private LAN
with IP address 192.168.1.2 - so far so good and this can be done with
DNAT.
But, I want all the packets received by the webserver to appear to be
coming from the address 192.168.1.1, not the external public IP address
they really came from, eg the apache logs will show all page requests as
coming from 192.168.1.1. Can this be done with iptables?
Andy
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Using iptables to anonymize incoming IP addresses
2009-09-30 14:14 Using iptables to anonymize incoming IP addresses andy thomas
@ 2009-09-30 14:45 ` Richard Horton
2009-09-30 18:38 ` Leonardo Rodrigues
1 sibling, 0 replies; 4+ messages in thread
From: Richard Horton @ 2009-09-30 14:45 UTC (permalink / raw)
To: andy; +Cc: netfilter
2009/9/30 andy thomas <tds@virt1.netstat-a.net>
[snip]
>
> But, I want all the packets received by the webserver to appear to be
> coming from the address 192.168.1.1, not the external public IP address
> they really came from, eg the apache logs will show all page requests as
> coming from 192.168.1.1. Can this be done with iptables?
Look at the SNAT target...
--
Richard Horton
Users are like a virus: Each causing a thousand tiny crises until the
host finally dies.
http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
http://www.pbase.com/arimus - My online photogallery
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Using iptables to anonymize incoming IP addresses
2009-09-30 14:14 Using iptables to anonymize incoming IP addresses andy thomas
2009-09-30 14:45 ` Richard Horton
@ 2009-09-30 18:38 ` Leonardo Rodrigues
2009-10-01 15:37 ` andy thomas
1 sibling, 1 reply; 4+ messages in thread
From: Leonardo Rodrigues @ 2009-09-30 18:38 UTC (permalink / raw)
To: andy; +Cc: netfilter
andy thomas escreveu:
> But, I want all the packets received by the webserver to appear to be
> coming from the address 192.168.1.1, not the external public IP address
> they really came from, eg the apache logs will show all page requests as
> coming from 192.168.1.1. Can this be done with iptables?
>
sure !!! Pretty simple.
you'll need a DNAT rule for the 80 port forwarding
and you'll need a SNAT rule to, to make the firewall source-nat all
connections 'going' to your real webserver
192.168.1.1 = your firewall
192.168.1.200 = your real web server
iptables -t nat -A POSTROUTING -p tcp --dport 80 -d 192.168.1.200 -j
SNAT --to-source 192.168.1.1
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Using iptables to anonymize incoming IP addresses
2009-09-30 18:38 ` Leonardo Rodrigues
@ 2009-10-01 15:37 ` andy thomas
0 siblings, 0 replies; 4+ messages in thread
From: andy thomas @ 2009-10-01 15:37 UTC (permalink / raw)
To: Leonardo Rodrigues; +Cc: netfilter
On Wed, 30 Sep 2009, Leonardo Rodrigues wrote:
> andy thomas escreveu:
> > But, I want all the packets received by the webserver to appear to be
> > coming from the address 192.168.1.1, not the external public IP address
> > they really came from, eg the apache logs will show all page requests as
> > coming from 192.168.1.1. Can this be done with iptables?
> >
>
> sure !!! Pretty simple.
>
> you'll need a DNAT rule for the 80 port forwarding
>
> and you'll need a SNAT rule to, to make the firewall source-nat all
> connections 'going' to your real webserver
>
> 192.168.1.1 = your firewall
> 192.168.1.200 = your real web server
>
>
> iptables -t nat -A POSTROUTING -p tcp --dport 80 -d 192.168.1.200 -j
> SNAT --to-source 192.168.1.1
Thanks, it works! I knew SNAT was the solution but couldn't get it to work
despite a lot of attempts with different options, etc. I'm now using the
following ruleset:
iptables -A INPUT -i eth0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 11.22.33.44 \
--dport 80 -j DNAT --to 192.168.1.2:80
iptables -t nat -A POSTROUTING -p tcp --dport 80 \
-d 192.168.1.2 -j SNAT --to-source 192.168.1.1
(11.22.33.44 is not my real external IP address ;-)
I suppose I ought to add the -o eth1 option to the last rule (the SNAT
rule) to make sure this traffic only goes out onto the internal network
but it's working very well as it is.
Thanks again,
cheers, Andy
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-10-01 15:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-09-30 14:14 Using iptables to anonymize incoming IP addresses andy thomas
2009-09-30 14:45 ` Richard Horton
2009-09-30 18:38 ` Leonardo Rodrigues
2009-10-01 15:37 ` andy thomas
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.