> > WebServer ( Problem is here, i'm getting firewall's ip 192.168.1.x in > > apache's access log entry for all incoming requests to webserver whereas > > i wanted visitors' real ip)
> Are all the visitors for the webserver from the local LAN or from > outside also ? What is the IP address used by the visitors from the > local LAN to access the web server ? -----------------<snip>----------------- > Now assuming that the web server is accessed using the Public IP A.B.C.D > which is assigned to one of the external interfaces on your firewall box > and you have an external visitor. In such a case, the incoming requests > will first hit your firewall box on the interface having the address > A.B.C.D and then DNAT rules will send them to Gateway / Proxy Server and > then the requests should get forwarded to the web server. In such a > case, the access log will record the visitor's IP address as the real IP > address unless and until you have SNAT happening at the firewall box > where source IP address is changed to 192.168.1.x, so you need the check > the firewall rules there. Can you send the output of > > iptables -L > iptables -t nat -L > > at both the gateways ? > > The same logic will apply when an internal visitor tries to access the > web server using the public IP A.B.C.D. All the visitors are from the both LAN and outside LAN. All visitors visit my webserver as http://www.mydomain.com and for all visitors' ip loged in apache always as 192.168.1.x. I'm not using any SNAT rules on both firewall and gateway using only DNAT. On Firewall, iptables -A PREROUTING -t nat -j DNAT -p tcp -d MYPUBLIC_IP --dport 80 --to 192.168.1.w:80 On Gateway/ProxyServer iptables -A PREROUTING -t nat -j DNAT -p tcp -d 192.168.1.w --dport 80 --to 192.168.2.w:80 Thanks and Regards, Abhiram _______________________________________________ ilugd mailinglist -- [email protected] http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/[email protected]/
