Remote IP in packet sent from WAN to LAN

Remote IP in packet sent from WAN to LAN

[Piotr Pawłowski]

Hi All,

I have iptables-based router which provides access to the Internet for servers in LAN.
Question is: is it possible to somehow 'forward' remote IP address through this router? I have WWW server inside LAN and would like to have reliable access logs. However, right now the only IP address visible in those logs is router one.

Thank you in advance for information.

Best Regards
---
Piotr Paw³owski

Re: Remote IP in packet sent from WAN to LAN

[Humberto Jucá]

As I understand it, your problem is the internal NAT.

Configure your firewall without doing SNAT or MASQUERADE for packets
destined to the internal server - you can use RETURN rules to do this,
for example.

But, If you can not avoid this ...
Try something like this:
http://engi.neir.org/tips-tricks/fix-apache-proxy-logging/

2013/4/19 Piotr Pawłowski <piotr.pawlowski@goyello.com>:
> Hi All,
>
> I have iptables-based router which provides access to the Internet for servers in LAN.
> Question is: is it possible to somehow 'forward' remote IP address through this router? I have WWW server inside LAN and would like to have reliable access logs. However, right now the only IP address visible in those logs is router one.
>
> Thank you in advance for information.
>
> Best Regards
> ---
> Piotr Pawłowski
>
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Remote IP in packet sent from WAN to LAN

[Ambroz Bizjak]

Do you mean that when an internal client connects to the extrernal
address of the server (as forwarded by the router), the server sees
the router itself connecting?

I believe there is no direct solution to this; if the router was to
state the client's IP address as the source, the client would get the
replies from the server (directly over the LAN), *but* they would have
the source address the internal address of the server, so the client
will discard them (because it expects them to arrive from the external
address).

A workaround is to set up DNS so that the domain name of the server
resolves to the internal address for clients on the LAN.

On Fri, Apr 19, 2013 at 9:40 AM, Piotr Pawłowski
<piotr.pawlowski@goyello.com> wrote:
> Hi All,
>
> I have iptables-based router which provides access to the Internet for servers in LAN.
> Question is: is it possible to somehow 'forward' remote IP address through this router? I have WWW server inside LAN and would like to have reliable access logs. However, right now the only IP address visible in those logs is router one.
>
> Thank you in advance for information.
>
> Best Regards
> ---
> Piotr Pawłowski
>
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: Remote IP in packet sent from WAN to LAN

[Piotr Pawłowski]

Not exactly.
On the iptables-based router there is port forwarding to services running on servers inside LAN. I.e. WWW server is running on 192.168.1.2:80 , in iptables I have port forwarding (nat/prerouting) from external IP (2.3.4.5:80) to 192.168.1.2:80 . Now on 192.168.1.2 in WWW access logs I see internal IP of the router instead of remote IP of the client, which requested 2.3.4.5:80 in browser.

Best egards
---
Piotr Paw³owski

Re: Remote IP in packet sent from WAN to LAN

[Ambroz Bizjak]

I think the only way this can happen is if you accidentally did SNAT.
Is there a SNAT (or MASQUERADE) rule somewhere? Make sure it only
applies to packets going *out* into the Internet.

On Fri, Apr 19, 2013 at 2:50 PM, Piotr Pawłowski
<piotr.pawlowski@goyello.com> wrote:
> Not exactly.
> On the iptables-based router there is port forwarding to services running on servers inside LAN. I.e. WWW server is running on 192.168.1.2:80 , in iptables I have port forwarding (nat/prerouting) from external IP (2.3.4.5:80) to 192.168.1.2:80 . Now on 192.168.1.2 in WWW access logs I see internal IP of the router instead of remote IP of the client, which requested 2.3.4.5:80 in browser.
>
> Best egards
> ---
> Piotr Pawłowski
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Remote IP in packet sent from WAN to LAN

[Vigneswaran R]

On 04/19/2013 06:20 PM, Piotr Paw³owski wrote:
> Not exactly.
> On the iptables-based router there is port forwarding to services running on servers inside LAN. I.e. WWW server is running on 192.168.1.2:80 , in iptables I have port forwarding (nat/prerouting) from external IP (2.3.4.5:80) to 192.168.1.2:80 . Now on 192.168.1.2 in WWW access logs I see internal IP of the router instead of remote IP of the client, which requested 2.3.4.5:80 in browser.

1. Instead of using iptables-based port forwarding (DNAT), if you use 
some reverse proxy (eg., apache) on the router, I think you can log the 
actual client IP by following the instructions in the below URL (taken 
from Humberto Juca's mail).

http://engi.neir.org/tips-tricks/fix-apache-proxy-logging/

2. Otherwise, you can LOG the packet on the router before doing DNAT. 
Then the router log and webserver log together can make some sense 
(provided that the servers are time synchronized).


Regards,
Vignesh