Re: NAT issue with iptable

crowl_at_gmx.de
Date: 06/22/05 

Date: 22 Jun 2005 05:32:37 -0700

> > I am using iptables for nat.
> > iptables -t nat -A POSTROUTING -o $IFACE_EXT -j MASQUERADE
> > iptables -A INPUT -i $IFACE_EXT -s $myPublicIP -j ACCEPT
>
>
> You accept packets from external machines pretending to be your ext-IP?
> Why? Who is sending them?

Sorry for the confusion. In fact $myPublicIP is the IP range provided
by our ISP. $IFACE_EXT is eth0 and is bind to two IP addressed. One IP
from $myPublicIP and one from our private IP range 192.168.x.x.
$IFACE_EXT is in our DMZ. The machine has also a second nic which is
connected with our intranet protected by iptables. In $myPublicIP range
exist two machines we need for testing purposes. Therefore we have this
second rule. I know I have to be more specific with this rule. But this
adjustment was a quick hack for testing purposes during setup the DMZ.
I think we can neglect the second rule, because it is not important for
the original issue, isn't it? Once again, sorry for the confusion.

> > iptables -t nat -A PREROUTING -i $IFACE_EXT -p tcp -d $myPublicIP
> > --dport 443 -j DNAT --to-destination $myInternalWebserver
>
>
> > Issue: In the web server logs I get only the ip of myPublicIP. It seems
> > that nat rewrite the original ip address. The original ip of the client
> > is very important for the running web server application.
>
> > How can I avoid the rewrite of the original ip address?
>
> Run tcpdump on all NICs, You would see this if you were using the
> external NIC to talk to the "$myInternalWebserver" and using the MASQ.

I am a little bit confused about that. I have run tcpdump and see the
IP from the external client. I am not familiar with tcpdump maybe I
overlook something. But how can tcpdump help me to solve my issue (see
the IP address of the client in the logs of the webserver and in the
running applications instead of the IP of the machine itself)? Or
should tcpdump give me a clue to find the right way?

>
> > Thanks for your help.
>
> Not much help, I don't understand the 2nd rule. But you should just
> trace this all out, and display the overall packet flow to understand
> what's happening.

Thanks for your assistance.

cl

Relevant Pages

  • Re: NAT issue with iptable
    ... > You accept packets from external machines pretending to be your ext-IP? ... I think we can neglect the second rule, because it is not important for ... I have run tcpdump and see the ...
    (comp.os.linux.networking)
  • Re: virus/worms killing a network...
    ... You can try iptraf, etherape, tcpdump or ethereal, but there are many ... When looking for bandwidth hogs I prefer etherape or iptraf. ... To reduce the impact of the infected machines, ... internal machines from infecting other machines on the internet. ...
    (Fedora)
  • Re: ICMP Killed me and my machine
    ... Using tcpdump, find the source I.P address of who's ... hitting you and set up a rule using ipfw to block it. ... to 20 packets per second ... >> But i was down including all my machines.. ...
    (FreeBSD-Security)
  • Re: Strange new behavior
    ... > I just noticed one of my machines will no longer respond to echo requests ... Sounds like the packets are not send with the right destination MAC ... When you start tcpdump it will switch the interface into ...
    (comp.os.linux.security)