How do i port forward but maintain the original IP address?

I have searched for this up and down Google and maybe i am just not
using the right keywords because I am not getting anything back.

Here is the problem.

Machine#A Listens on Port80
Forwards traffic to Machine#B on Port8080

this works beautifully.

/sbin/iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT
\
--to $MAL_P:8080
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE

HOWEVER, Machine#B see's all requests coming from Machine#A and not the
original IP address of the requester, thus all my logs say Machine#A
and not the originators IP address.

Therefore the question is; how does one maintain the IP address of the
originating request?

I am quite sure this is a well trodden road and I am being a baffoon
for missing the obvious.

Thank you in advance.

On 2006-08-18, Alan Williamson <(E-Mail Removed)> wrote:
> Machine#A Listens on Port80
> Forwards traffic to Machine#B on Port8080
> HOWEVER, Machine#B see's all requests coming from Machine#A and not the
> original IP address of the requester, thus all my logs say Machine#A
> and not the originators IP address.

As it is supposed to be, otherwise, machine B would try to send reply
directly to the originator, ignoring completely machine A, so the
originator would see packets coming from a machine that he didn't know,
and quietly discard such packets as rubbish.

> Therefore the question is; how does one maintain the IP address of the
> originating request?

Using a Proxy.

Davide

--
D: is just a data disk. That's why it's called "D", for "DATA".
C: is the Windows OS disk, so it's called "C", for "CRAP".
-- David P. Murphy

Alan Williamson wrote:
> I have searched for this up and down Google and maybe i am just not
> using the right keywords because I am not getting anything back.
>
> Here is the problem.
>
> Machine#A Listens on Port80
> Forwards traffic to Machine#B on Port8080
>
> this works beautifully.
>
> /sbin/iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT
> \
> --to $MAL_P:8080
> /sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
>
> HOWEVER, Machine#B see's all requests coming from Machine#A and not the
> original IP address of the requester, thus all my logs say Machine#A
> and not the originators IP address.
>
> Therefore the question is; how does one maintain the IP address of the
> originating request?
>
> I am quite sure this is a well trodden road and I am being a baffoon
> for missing the obvious.

Don't masquerade packets incoming from the WAN, just the ones outgoing
to the WAN.

Allen Kistler wrote:

> > /sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
>
> Don't masquerade packets incoming from the WAN, just the ones outgoing
> to the WAN.

not quite sure how to do that. I tried putting in the "-s LANRANGE"
but it stopped forwarding packets at that point.

Can you elborate a little further? thanks

Alan Williamson wrote:
> Allen Kistler wrote:
>
>>> /sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
>> Don't masquerade packets incoming from the WAN, just the ones outgoing
>> to the WAN.
>
> not quite sure how to do that. I tried putting in the "-s LANRANGE"
> but it stopped forwarding packets at that point.
>
> Can you elborate a little further? thanks

Probably
-A POSTROUTING -o <Internet interface> -j MASQUERADE
instead of what you've got now. Tweak as you need depending on your setup.

> Probably
> -A POSTROUTING -o <Internet interface> -j MASQUERADE
> instead of what you've got now. Tweak as you need depending on your setup.

no, that didn't work. The machine at the back is still not seeing the
originators IP address.

Alan Williamson wrote:
>> Probably
>> -A POSTROUTING -o <Internet interface> -j MASQUERADE
>> instead of what you've got now. Tweak as you need depending on your setup.
>
> no, that didn't work. The machine at the back is still not seeing the
> originators IP address.

Then you've got other rules masquerading for you that take precedence.
Did you remember to flush your existing rules before loading the new ones?
Dump your rules with iptables-save (for yourself, not to this group) to
see what else you've got.

> Then you've got other rules masquerading for you that take precedence.
> Did you remember to flush your existing rules before loading the new ones?
> Dump your rules with iptables-save (for yourself, not to this group) to
> see what else you've got.

i hate to argue with you, but there are no other rules. It forwards
correctly, but still i get the wrong IP address, not the one from the
originator. Here is the rules for this;

:POSTROUTING ACCEPT [96:5748]
:PREROUTING ACCEPT [463023:49408272]
-A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination
MachineB:2525
COMMIT

thats it.

okay an update on the state of play. I can manage to get a connection
through to the MachineB.

tcp 0 0 192.168.0.101:2525 81.x.y.z:45668
SYN_RECV

However, its as if no packets are coming back the way from MACHINEB.

/sbin/iptables -t nat -A PREROUTING -i $WAN -s ! $MACHINEA -p tcp
--dport 25 -j DNAT --to $MACHINEB:2525
/sbin/iptables -t nat -A POSTROUTING -o $WAN -s $LAN_RANGE -d $MACHINEB
-j SNAT --to $MACHINEA
/sbin/iptables -A FORWARD -s $LAN_RANGE -d $MACHINEB -i $LAN -o $WAN -p
tcp --dport 2525 -j ACCEPT

where MACHINEA is the machine that iptables is running on, and MACHINEB
sits inside the LAN.

Does that help any? I've stripped the iptables rules right back.

Alan Williamson wrote:
> okay an update on the state of play. I can manage to get a connection
> through to the MachineB.
>
> tcp 0 0 192.168.0.101:2525 81.x.y.z:45668
> SYN_RECV
>
> However, its as if no packets are coming back the way from MACHINEB.
>
> /sbin/iptables -t nat -A PREROUTING -i $WAN -s ! $MACHINEA -p tcp
> --dport 25 -j DNAT --to $MACHINEB:2525
> /sbin/iptables -t nat -A POSTROUTING -o $WAN -s $LAN_RANGE -d $MACHINEB
> -j SNAT --to $MACHINEA
> /sbin/iptables -A FORWARD -s $LAN_RANGE -d $MACHINEB -i $LAN -o $WAN -p
> tcp --dport 2525 -j ACCEPT
>
> where MACHINEA is the machine that iptables is running on, and MACHINEB
> sits inside the LAN.
>
> Does that help any? I've stripped the iptables rules right back.

1. I don't understand what your SNAT rule is supposed to be doing.
If you have a fixed public address and you want to SNAT replies from
MACHINEB, use "-i $LAN" and get rid of -s and -d (???) options. Make
sure you use the PUBLIC address for SNAT.
If you have a dynamic public address, use -j MASQUERADE.

2. Does MachineB have its default route through MachineA?
It probably should. It at least needs its route to public addresses to
be through MachineA.

3. There are better ways to restrict valid address ranges.
I suggest you focus just on interfaces for now.

4. Also include a FORWARD rule for state ESTABLISHED.

Tighten from there once you get it to work.

HTH