0

I'm trying to configure my network to receive an incoming connection on one device and then redirect it to another device on a specific port. Right now I'm on about port 80 and a device running apache. The problem I'm facing is that when the forwarding is done it also sets the source ip to the first device instead of the source ip the user that connects to the service has.

Let me illustrate it:

  • [Internet User] = 7.7.7.7

  • connects to [Device 1] = 1.1.1.1:80

  • [Device 1] forwards it to [Device 2] = 1.1.1.2:80

  • [Device 2] outputs response that [Internet User] sees

So on [Device 2] I will naturally see [Device 1]s IP in the logs, but I wanna see if there is a way to connect the internet user through [Device 1] to [Device 2] while seeing the real source IP in the logs on [Device 2].

Is that possible?

My rule-set looks like this at the moment: (on Device 1)

iptables -P FORWARD ACCEPT

iptables -t nat -I PREROUTING -j DNAT -p tcp --dport 80 --to-destination 1.1.1.2:80

iptables -t nat -I POSTROUTING -j SNAT -p tcp -d 1.1.1.2 --to-source 1.1.1.1

On [Device 2] it accepts all incoming on port 80 from [Device 1] as well as accepts all related and established connections.

So, would there be any way to get the real source onto [Device 2]?

Let me know if you need more information!

JoshP
  • 278
  • 3
  • 6
  • 25
Jesper
  • 3
  • 1

1 Answers1

0

It's not possible, because "Device 2" needs to send answer to "Device 1", not directly to "Internet User" (TCP session was established between "Internet User" and "Device 1", not "Device 2"). This is why for example exists X-Forwarded-For header in HTTP.

In case of apache you can use 'rpaf' module to see real IP address. There is also similar solution for nginx. But of course this will not work for different protocol.

Tomasz Olszewski
  • 898
  • 1
  • 9
  • 20