Am Fre, 2003-05-23 um 22.29 schrieb Richard Whittaker: > Greetings: > > We have a webserver living in a DMZ, and I have the following rule > setup to allow this: > > /usr/sbin/iptables -A PREROUTING -t nat -i eth1 -p tcp -d 199.85.228.1 > --dport 80 -j DNAT --to 192.168.70.3:80 > > Unfortunately, the web server only sees the IP address of the > interface, not the source IP address, which kinda messes with our > statistical programs, since the only address the web server "sees" is > the same one over, and over... Is there any way to present the web > server with the "real" address, or should it be be already?.... Apparently you have an unqualified SNAT rule lying around, since DNAT only changes the destination address. Look for your SNAT rules and tie them to the external interface: iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 199.85.228.1 Cheers, Ralf > > Thanks, > Richard... > > > Richard Whittaker, CISSP > System Manager > NorthwesTel Inc. > Whitehorse, YK > (867) 393-7756 > -- Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org
