2

I have 2 ip adresses on the Internet who redirect on the same machine. On this machine, one Debian runs on OpenVZ. I can set iptables rules to redirect all http request to the Debian.

    iptables prerouting -d ip_address_2 DNAT --to ip_address_local_1
                     +--------------+
                     |              |
                     |              V
                     |          10.10.101.5
I|                 +------+     +----------+
N|ip_address_1     |      |-----|Debian1 VE|-- Apache's log
T|-----------------|OpenVZ|     +----------+   [client ip_address_1]
E|              |  |      |
R|ip_address_2  |  |      |
N|--------------+  |      |
E|                 +------+
T|

Iptables' rules :

iptables -t nat -A PREROUTING -p tcp -i eth0 -d ip_address_2 --dport 80 -j DNAT --to 10.10.101.5:80
iptables -A FORWARD -p tcp -i eth0 -o venet0 -d 10.10.101.5 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -i venet0 -o eth0 -s 10.10.101.5 --sport 80 -j ACCEPT

When I go to webpage with "http://ip_address_2", I can see the good content but the ip address on access log file is ip_address_1, I would like to see my ISP's ip address.

If I type :

# iptables -t nat -L -n


Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            ip_address_2       tcp dpt:80 to:10.10.101.5:80 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
SNAT       all  --  10.10.101.5           0.0.0.0/0           to:ip_address_2 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Any ideas?

Kevin Campion
  • 437
  • 2
  • 7
  • 15

1 Answers1

1

perhaps this is as simple as adding Listen ip.add.re.ss2:80 in your httpd configuration?

and removing any Listen 80 directives, to make sure the server is only serving the IP address you want.

i just re-read your iptables rules; you're sending traffic from ip2 on port 80 to ip1 on port 80... of course your logs are going to show ip1. you're redirecting the traffic before it hits the server.

cpbills
  • 2,720
  • 18
  • 12
  • No, I'm sending traffic from ip2:80 to ip_local_1:80 (not ip1) – Kevin Campion May 14 '10 at 21:28
  • again, i think limiting apache to the IP you want might be your best solution, then. – cpbills May 15 '10 at 16:10
  • I have already add NameVirtualHost ip_address_2:80 in apache2.conf – Kevin Campion May 15 '10 at 17:36
  • that is not the same as `Listen ip_address_2:80` – cpbills May 15 '10 at 21:08
  • If I do this, I have these errors : # /etc/init.d/apache2 restart * Restarting web server apache2 (99)Cannot assign requested address: make_sock: could not bind to address ip_address_2:80 no listening sockets available, shutting down – Kevin Campion May 15 '10 at 21:31
  • Because there isn't any information about ip_address_2 if I do ifconfig – Kevin Campion May 15 '10 at 21:32
  • ok, so... your traffic comes in, gets nat'd, and when it touches your server the source of the traffic is no longer the person on the internet, but the IP of your NAT/firewall device? i don't believe there's much you can do on your local server, you're going to need to configure the NAT/firewall/etc so it passes straight through, instead of NAT – cpbills May 15 '10 at 23:55
  • It's right for your question. I discover that when I do a traceroute, the first IP is ip_address_1, I search how pass through ip_address_2 – Kevin Campion May 16 '10 at 16:14
  • I posted a new question about it : http://serverfault.com/questions/142379/change-openvz-route-to-pass-through-ip-failover – Kevin Campion May 16 '10 at 16:39