> > WebServer ( Problem is here, i'm getting firewall's ip 192.168.1.x in
> > apache's access log entry for all incoming requests to webserver whereas
> > i wanted visitors' real ip)

> Are all the visitors for the webserver from the local LAN or from
> outside also ? What is the IP address used by the visitors from the
> local LAN to access the web server ?
-----------------<snip>-----------------
> Now assuming that the web server is accessed using the Public IP A.B.C.D
> which is assigned to one of the external interfaces on your firewall box
> and you have an external visitor. In such a case, the incoming requests
> will first hit your firewall box on the interface having the address
> A.B.C.D and then DNAT rules will send them to Gateway / Proxy Server and
> then the requests should get forwarded to the web server. In such a
> case, the access log will record the visitor's IP address as the real IP
> address unless and until you have SNAT happening at the firewall box
> where source IP address is changed to 192.168.1.x, so you need the check
> the firewall rules there. Can you send the output of
>
> iptables -L
> iptables -t nat -L
>
> at both the gateways ?
>
> The same logic will apply when an internal visitor tries to access the
> web server using the public IP A.B.C.D.

All the visitors are from the both LAN and outside LAN. All visitors visit my 
webserver as http://www.mydomain.com and for all visitors' ip loged in apache 
always as 192.168.1.x. I'm not using any SNAT rules on both firewall and 
gateway using only DNAT.

On Firewall, 
iptables -A PREROUTING -t nat -j DNAT -p tcp -d MYPUBLIC_IP --dport 80
--to 192.168.1.w:80

On Gateway/ProxyServer
iptables -A PREROUTING -t nat -j DNAT -p tcp -d 192.168.1.w --dport 80
--to 192.168.2.w:80

Thanks and Regards,
Abhiram




_______________________________________________
ilugd mailinglist -- [email protected]
http://frodo.hserus.net/mailman/listinfo/ilugd
Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi 
http://www.mail-archive.com/[email protected]/

Reply via email to