I'm setting up a box that will be the only device on the Internet and will forward requested services to other servers sitting on a DMZ. As a test I started with redirecting a web server. To test my arrangement I first merely set up a simple masquerade (just on my internal network) in my iptables like so: *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.40.15 -A POSTROUTING -j MASQUERADE *filter ...normal filtering lines follow. This POSTROUTING entry works as well: -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.40.15 I think this is because the above line is doing the same as the shortcut MASQUERADE. When I check the httpd access_log it shows that the connection came from 192.168.40.15 as expected. It works. However, I need the logs to show the actual originating IP address for tracking purposes, statistics, etc. Basically as I move forward we will need our logs to show connections from the actual IP address so I assume NAT'ing is out and I'm just barking up the wrong tree here. Is there a way to do this? Am I just totally confused and should be using a squid proxy or some such thing instead of iptables - both? Any assistance in pointing me in the right direction would be greatly appreciated. Nicholas
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
