Re: DNAT and IP's

From: Anders Larsen (a.larsen@identecsolutions.de)
Date: 05/08/02


From: Anders Larsen <a.larsen@identecsolutions.de>
Date: Wed, 08 May 2002 13:18:48 +0200

TGGA wrote:

> I've read through everything I can and haven't seen anything on this. If I
> allow services through my external linux box (my eth0 is 192.168.1.2) , say
> incoming from ippp0 on port 80 and pass them to 192.168.1.3 (my internal
> linux server running apache) as in:-
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables -t nat -A PREROUTING -p tcp -i ippp0 --dport 80 -j
> DNAT --to-destination 192.168.1.3:80
>
> The above line does push people to my internal webserver. What I don't see,
> on 192.168.1.3, is the "real" ip address of people coming in. I see
> 192.168.1.2, that being the eth0 address of my external linux box. My
> question is, is there any way to see their real ip address, or have I missed
> something, done something wrong? (I perhaps should also mention that I use
> this linux box as my way out)

If you have set up the default route on 192.168.1.3 to point to
192.168.1.2 you don't need any kind of NAT on eth0, so
remove the line
  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
then you'll see the original IP address.

(BTW, that line was incorrect for another reason - you shouldn't use "-j
MASQUERADE" on an interface with a fixed IP address (like your eth0);
use "-j SNAT --to-source 192.168.1.2" instead)

HTH
Cheers
  Anders