0

I have a website setup behind a router, so the router has the external facing address and it will forward requests to the webserver inside the network. If there are X number of invalid login attempts, that IP address will be blocked from logging in. The problem is that because the site is being accessed through port forwarding, all requests show up as though they are coming from the router address, and thus the router address becomes the blocked IP.

I'm not sure if this is a limitation of the router (linksys wrt160n) or if this a more general issue. Is there a way to handle this?

Jeff Storey
  • 448
  • 1
  • 7
  • 19
  • looks like it is this router's port-forwarding implementation. I used to utilize port-forwarding on (definitely) linux-based routers, particularly DLink, and port-forwarding there were implemented using DNAT ipchains target, so the source IP was always true. – Serge Oct 07 '12 at 19:08
  • Thanks. Do you know if this is typically a configurable setting? I don't have an in depth knowledge of port forwarding. – Jeff Storey Oct 07 '12 at 19:19
  • Jeff, I am sorry, I had no chance to try with Linksys. As for SOHO routers in general - they are trying to make it as simple as possible to let an ordinary users to set it up. So in many cases the functionality is limited compare to the features that the linux running inside provides. – Serge Oct 07 '12 at 19:23

1 Answers1

1

That sounds like a very odd NAT + Port forward implementation. The source IP of a request should be the true IP address. Ensure that you're testing from a real external IP address and not by hitting the external address from inside your network.

Check X-Forwarded-For HTTP header to see if it's been added by your router in case it's doing some kind of strange Layer 7 manipulation

Alastair McCormack
  • 2,184
  • 1
  • 15
  • 22
  • Fuzzyfelt, I only have devices inside my network right now, I'll have to give that a try tomorrow when I'm outside the network. I'll check back with you and let you know. Thanks! – Jeff Storey Oct 07 '12 at 19:42
  • Actually, I just tried from my phone connected to 4g and it behaved as I expected. Thanks for clarifying. – Jeff Storey Oct 07 '12 at 19:46