Keep source IP after NAT
Solved my own mistery, but thanks to those who helped until now. Studied a bit more the iptables man page, and came to a solution which seems to work as I wish:
Replace the line which contains MASQUERADE (iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE) with the following line:
iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j SNAT --to-source XX.XX.XX.XX
Now I can see my real IP address and have internet too.
*XX.XX.XX.XX = public IP
Related videos on Youtube
03 : 39
03 : 13
04 : 02
01 : 34
02 : 33
John Miller
Updated on September 18, 2022Comments
-
John Miller over 1 year
Until today I used a cheapy router so I can share my internet connection and keep a webserver online too, while using NAT. Users IP ($_SERVER['REMOTE_ADDR']) was fine, I was seeing class A IPs of users.
But as traffic grown up everyday, I had to install a Linux Server (Debian) to share my Internet Connection, because my old router couldn't keep the traffic anymore. I shared the internet via IPTABLES using NAT, but now, after forwarding port 80 to my webserver, now instead of seeing real users IP, I see my Gateway IP (Linux Internal IP) as any user IP Address.
How to solve this issue?
I edited my post, so I can paste the rules I'm currently using.
#!/bin/sh #I made a script to set the rules #I flush everything here. iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -F iptables -X # I drop everything as a general rule, but this is disabled under testing # iptables -P INPUT DROP # iptables -P OUTPUT DROP # these are the loopback rules iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # here I set the SSH port rules, so I can connect to my server iptables -A INPUT -p tcp --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT # These are the forwards for 80 port iptables -t nat -A PREROUTING -p tcp -s 0/0 -d xx.xx.xx.xx --dport 80 -j DNAT --to 192.168.42.3:80 iptables -t nat -A POSTROUTING -o eth0 -d xx.xx.xx.xx -j SNAT --to-source 192.168.42.3 iptables -A FORWARD -p tcp -s 192.168.42.3 --sport 80 -j ACCEPT # These are the forwards for bind/dns iptables -t nat -A PREROUTING -p udp -s 0/0 -d xx.xx.xx.xx --dport 53 -j DNAT --to 192.168.42.3:53 iptables -t nat -A POSTROUTING -o eth0 -d xx.xx.xx.xx -j SNAT --to-source 192.168.42.3 iptables -A FORWARD -p udp -s 192.168.42.3 --sport 53 -j ACCEPT # And these are the rules so I can share my internet connection iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0:1 -j ACCEPTIf I delete the MASQUERADE part, I see my real IP while echoing it with PHP, but I don't have internet. How to do, to have internet and see my real IP while ports are forwarded too?
** xx.xx.xx.xx - is my public IP. I hid it for security reasons.
-
David Schwartz over 11 yearsShow us precisely how you forwarded port 80 to the webserver.
-
Michael Hampton over 11 yearsDon't run important servers at home.
-
-
Mohammed Noureldin over 7 yearsSorry for waking this question up, but what do you mean with the public IP? why should you enter the public IP to be able to know to real external IPs of the user? that doesn't make sense for me.
