6

Until today I used a cheapy router so I can share my internet connection and keep a webserver online too, while using NAT. Users IP ($_SERVER['REMOTE_ADDR']) was fine, I was seeing class A IPs of users.

But as traffic grown up everyday, I had to install a Linux Server (Debian) to share my Internet Connection, because my old router couldn't keep the traffic anymore. I shared the internet via IPTABLES using NAT, but now, after forwarding port 80 to my webserver, now instead of seeing real users IP, I see my Gateway IP (Linux Internal IP) as any user IP Address.

How to solve this issue?

I edited my post, so I can paste the rules I'm currently using.

#!/bin/sh
#I made a script to set the rules

#I flush everything here.
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -F
iptables -X


# I drop everything as a general rule, but this is disabled under testing
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP


# these are the loopback rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# here I set the SSH port rules, so I can connect to my server
iptables -A INPUT -p tcp --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED     -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT


# These are the forwards for 80 port
iptables -t nat -A PREROUTING -p tcp -s 0/0 -d xx.xx.xx.xx --dport 80 -j DNAT --to     192.168.42.3:80
iptables -t nat -A POSTROUTING -o eth0 -d xx.xx.xx.xx -j SNAT --to-source 192.168.42.3
iptables -A FORWARD -p tcp -s 192.168.42.3 --sport 80 -j ACCEPT

# These are the forwards for bind/dns
iptables -t nat -A PREROUTING -p udp -s 0/0 -d xx.xx.xx.xx --dport 53 -j DNAT --to 192.168.42.3:53
iptables -t nat -A POSTROUTING -o eth0 -d xx.xx.xx.xx -j SNAT --to-source 192.168.42.3
iptables -A FORWARD -p udp -s 192.168.42.3 --sport 53 -j ACCEPT


# And these are the rules so I can share my internet connection
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0:1 -j ACCEPT

If I delete the MASQUERADE part, I see my real IP while echoing it with PHP, but I don't have internet. How to do, to have internet and see my real IP while ports are forwarded too?

** xx.xx.xx.xx - is my public IP. I hid it for security reasons.

John Miller
  • 119
  • 1
  • 1
  • 6

2 Answers2

5

Solved my own mistery, but thanks to those who helped until now. Studied a bit more the iptables man page, and came to a solution which seems to work as I wish:

Replace the line which contains MASQUERADE (iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE) with the following line:

iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j SNAT --to-source XX.XX.XX.XX

Now I can see my real IP address and have internet too.

*XX.XX.XX.XX = public IP

John Miller
  • 119
  • 1
  • 1
  • 6
  • Sorry for waking this question up, but what do you mean with the public IP? why should you enter the public IP to be able to know to real external IPs of the user? that doesn't make sense for me. – Mohammed Noureldin Jan 20 '17 at 00:57
0

That is normal behaviour if you have used the masquerade rule (-j MASQUERADE). I think what you are using for is "destination network address translation" (-j DNAT), for instance something like:

/sbin/iptables -t nat -A PREROUTING -p tcp -d {$PUBLICADDRESS} --dport 80 -j DNAT --to {$WEBSERVER}:80

The above may or may not work depending on the rest of your rules, of course. You should update your question with at least the rules you currently have that a pertinent to the web server.

David Spillett
  • 22,534
  • 42
  • 66