0

Team,

We have configured IP tables with forwarding request coming on eth1(public IP x.x.x.x) interface to other server. We are able to forward all requests but problem is loosing origin public IP(Source IP of user) on server 192.168.254.X

Please find configuration below:

# Generated by iptables-save v1.6.0 on Wed Sep 13 12:19:51 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [8:827]
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -d 192.168.254.142/32 -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.254.89
-A PREROUTING -d 192.168.254.142/32 -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.254.89

-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Sep 13 12:19:51 2017
# Generated by iptables-save v1.6.0 on Wed Sep 13 12:19:51 2017
 *filter
 :INPUT ACCEPT [479:52143]
 :FORWARD ACCEPT [41:1856]
 :OUTPUT ACCEPT [417:79506]
 -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
 -A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
 COMMIT
# Completed on Wed Sep 13 12:19:51 2017

Please find output of IP Rule list.

0:      from all lookup local
1000:   from 192.168.254.142 lookup eth1rt
1000:   from 192.168.254.89 lookup eth1rt
32766:  from all lookup main
32767:  from all lookup default

Please update what issue to loose Source IP on server 254.89.

Any help on priority will help you.

Thanks.

user3086363
  • 1
  • 1
    You need to have a reverse proxy running instead of IPTables masquerading in order to get the IP address information correctly to the server inside the network. The reverse proxy adds `X-Forwarded-For` header to the request, and the web server can use that information for the original source IP address. – Tero Kilkanen Sep 20 '17 at 22:48
  • Please let me know how I can setup reverse proxy as I am new to linux. – user3086363 Sep 21 '17 at 12:21
  • Sorry, this is not the place to give you guidance how to do something from scratch. We expect you to try things yourself, and then if you cannot get past some point, then ask a detailed question which shows what you did, what happens and what you did. – Tero Kilkanen Sep 21 '17 at 12:33

1 Answers1

4

The -j MASQUERADE rules in your config instruct the kernel to rewrite the source ip-address of packets to the ip-address on the interface the packet uses to exit your system (also know as Source NAT).
If you don't want that, those rules will need to be removed.

But please be aware that when you don't SNAT (and only re-route packets with destination NAT) you must have correct routing (on server 192.168.254.89) for the connections to work as intended.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • Thank you for giving answer. We have to forward all request to server 192.168.254.89 but when we are removing -j MASQUERADE, response from 254.89 want be revert back to 254.142(jump server). Please let me know you need any other information. – user3086363 Sep 20 '17 at 13:08
  • If we will change from as below, request want be forwarded. Please let me know reason for it. Current: -A POSTROUTING -o eth1 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE Changed: -A POSTROUTING -s 192.168.254.0/24 -o eth1 -j MASQUERADE -A POSTROUTING -s 192.168.254.0/24 -o eth0 -j MASQUERADE – user3086363 Sep 22 '17 at 07:47