Hi Dominic, > Simply put, is there a way to do port forwarding without having the > source address modified? Yes, the DNAT target by itself does NOT modify the source address. > Here is the problem: I'm using the following rules to forward port 80 > trafic to a HTTP server behind a firewall: > > iptables -t nat -A PREROUTING -p tcp --dport 80 -d 66.45.170.200 -j DNAT > --to-destination 192.168.1.200:80 > iptables -A FORWARD -p tcp --dport 80 -d 192.168.1.200 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > > The port forwarding works just fine, but all log entries on the HTTP > server show the same source address, which is the local address of the > firewall (192.168.1.4). I'd like the logs to show the real IP address of > the client from which the connection originates. Since you don't list your POSTROUTING rules, I cannot be sure, but I suspect that you have another rule, maybe MASQUERADE or SNAT, which is affecting your inbound traffic when you don't want it to. For example, maybe you have a rule to MASQUERADE everything in your POSTROUTING chain, and this is masquerading incoming as well as outgoing traffic. Cheers, Chris. -- ___ __ _ / __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
