Re: NetFilter DMZ question...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Fre, 2003-05-23 um 22.29 schrieb Richard Whittaker:
> Greetings:
> 
> We have a webserver living in a DMZ, and I have the following rule
> setup to allow this:
> 
> /usr/sbin/iptables -A PREROUTING -t nat -i eth1 -p tcp -d 199.85.228.1
> --dport 80 -j DNAT --to 192.168.70.3:80
> 
> Unfortunately, the web server only sees the IP address of the
> interface, not the source IP address, which kinda messes with our
> statistical programs, since the only address the web server "sees" is
> the same one over, and over... Is there any way to present the web
> server with the "real" address, or should it be be already?....
Apparently you have an unqualified SNAT rule lying around, since DNAT
only changes the destination address. Look for your SNAT rules and tie
them to the external interface:
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 199.85.228.1

Cheers,

Ralf
> 
> Thanks,
> Richard...
> 
> 
> Richard Whittaker, CISSP
> System Manager
> NorthwesTel Inc.
> Whitehorse, YK
> (867) 393-7756
> 
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                    
http://honeynet.spenneberg.org



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux