NAT and Apache2 access_log

Dear all,

if been going mad with this for several weeks, now. Since my web server
is running behind a gateway, I can not keep track of my visitors' IP
addresses any more. The only IP address appearing in the apache's
access_log file is the local IP of the gateway machine.

My setup is as follows (abstraction):

I have a public domain "www.something.net" that resolves to the IP
address 212.121.0.1.
local network: something.net, 192.168.1.0/24
gateway: gw.something.net, 192.168.1.1
Web server: wsrv.something.net, 192.168.1.2

The port forwarding is done for port 80, IP 212.121.0.1, to port 1080,
192.168.1.1 on gw.something.net. Apache on wsrv.something.net is
configured to listen on port 1080 and server my public website.

Now, if I do a `cat /var/log/apache2/access_log`, I get something like

<snap>
192.168.1.1 - - [16/Oct/2005:17:42:09 +0200] "GET /index.php HTTP/1.1"
200 4710
</snap>


My firewall rules are like this:


gw.something.net:
################################################## #######################
#!/bin/bash
#

# flush everything
iptables -F
iptables -F -t nat
iptables -X

# default policy: drop everything.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# now, do the nat-ting...

# allow related package forwarding
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow forwarded packets
iptables -A FORWARD -d 192.168.1.2 -p tcp --dport 1080 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Forward packets coming in from the outside
iptables -t nat -A PREROUTING \
-d 212.121.0.1 -p tcp --dport 80 \
-j DNAT --to-destination 192.168.1.2:1080

#allow all outgoing traffic from the web server
iptables -t nat -A POSTROUTING -o $PUBLIC_IF \
-d 192.168.1.2 -p tcp --dport 1080 \
-j SNAT --to 192.168.1.1

# Make it work from the firewall itself
iptables -t nat -A OUTPUT \
-d 212.121.0.1 -p tcp --dport 80 \
-j DNAT --to-destination 192.168.1.2:1080

exit 0
################################################## #######################


wsrv.something.net:
################################################## #######################
#!/bin/bash
#

# local network
LAN="192.168.1.1/24"

# flush everything
iptables -F
iptables -F -t nat
iptables -X

# default policy: drop everything.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# allow HTTP from gw in, and related out
iptables -A INPUT -d 192.168.1.2 -p tcp --dport 1080 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1080 \
-m state --state ESTABLISHED,RELATED -j ACCEPT


exit 0
################################################## #######################


What I need is a way to preserve the visitor's IP address, while at the
same time restricting access to the web server to local hosts only.
Probably, there is a simple way to to it, but I can't think of any.

Every help is appreciated very much. Thank you in advance.
Lutz

P.S.: Please excuse the bad message style, this is my first newsgroup
posting.

Lutz Brödel wrote:
> Dear all,
>
> if been going mad with this for several weeks, now. Since my web server
> is running behind a gateway, I can not keep track of my visitors' IP
> addresses any more. The only IP address appearing in the apache's
> access_log file is the local IP of the gateway machine.
>
> My setup is as follows (abstraction):
>
> I have a public domain "www.something.net" that resolves to the IP
> address 212.121.0.1.
> local network: something.net, 192.168.1.0/24
> gateway: gw.something.net, 192.168.1.1
> Web server: wsrv.something.net, 192.168.1.2
>
> The port forwarding is done for port 80, IP 212.121.0.1, to port 1080,
> 192.168.1.1 on gw.something.net. Apache on wsrv.something.net is
> configured to listen on port 1080 and server my public website.
>
> Now, if I do a `cat /var/log/apache2/access_log`, I get something like
>
> <snap>
> 192.168.1.1 - - [16/Oct/2005:17:42:09 +0200] "GET /index.php HTTP/1.1"
> 200 4710
> </snap>
>
>
> My firewall rules are like this:
>
>
> gw.something.net:
> ################################################## #######################
> #!/bin/bash
> #
>
> # flush everything
> iptables -F
> iptables -F -t nat
> iptables -X
>
> # default policy: drop everything.
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> # now, do the nat-ting...
>
> # allow related package forwarding
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> # Allow forwarded packets
> iptables -A FORWARD -d 192.168.1.2 -p tcp --dport 1080 \
> -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
> # Forward packets coming in from the outside
> iptables -t nat -A PREROUTING \
> -d 212.121.0.1 -p tcp --dport 80 \
> -j DNAT --to-destination 192.168.1.2:1080
>
> #allow all outgoing traffic from the web server
> iptables -t nat -A POSTROUTING -o $PUBLIC_IF \
> -d 192.168.1.2 -p tcp --dport 1080 \
> -j SNAT --to 192.168.1.1
>
> # Make it work from the firewall itself
> iptables -t nat -A OUTPUT \
> -d 212.121.0.1 -p tcp --dport 80 \
> -j DNAT --to-destination 192.168.1.2:1080
>
> exit 0
> ################################################## #######################
>
>
> wsrv.something.net:
> ################################################## #######################
> #!/bin/bash
> #
>
> # local network
> LAN="192.168.1.1/24"
>
> # flush everything
> iptables -F
> iptables -F -t nat
> iptables -X
>
> # default policy: drop everything.
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> # allow HTTP from gw in, and related out
> iptables -A INPUT -d 192.168.1.2 -p tcp --dport 1080 -j ACCEPT
> iptables -A OUTPUT -p tcp --sport 1080 \
> -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> exit 0
> ################################################## #######################
>
>
> What I need is a way to preserve the visitor's IP address, while at the
> same time restricting access to the web server to local hosts only.
> Probably, there is a simple way to to it, but I can't think of any.
>
> Every help is appreciated very much. Thank you in advance.
> Lutz
>
> P.S.: Please excuse the bad message style, this is my first newsgroup
> posting.

You can make iptables log for connection on gateway to www server in
local net.
OR do redirect trafic destinated for www to local www server, Those IP
should be not NAT'ed.

In message <dj0e0c$8vi$(E-Mail Removed)>, Lutz Brödel
wrote:
>
> #allow all outgoing traffic from the web server
> iptables -t nat -A POSTROUTING -o $PUBLIC_IF \
> -d 192.168.1.2 -p tcp --dport 1080 \
> -j SNAT --to 192.168.1.1
>
I don't like this one. Looking at what I had in the past, I've got this lot
which allows general access.

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 \
-j DNAT --to 192.168.1.18:80
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

If you swap the dport from 80 to 1080, $EXTIF is the external port (eth1),
$INTIF is the internal port (eth0). $EXTIP is the IP address of the
external interface.

I don't see why you need to restrict access to local IP addresses only, the
port forwarding with address rewriting makes you just as vulnerable as
letting them in without the rewrite.

--
Dave
mail da (E-Mail Removed) (without the space)
http://www.llondel.org/
So many gadgets, so little time...

Lukas wrote:
> Lutz Brödel wrote:
>
>> Dear all,
>>
>> if been going mad with this for several weeks, now. Since my web server
>> is running behind a gateway, I can not keep track of my visitors' IP
>> addresses any more. The only IP address appearing in the apache's
>> access_log file is the local IP of the gateway machine.
>>
>> My setup is as follows (abstraction):
>>
>> I have a public domain "www.something.net" that resolves to the IP
>> address 212.121.0.1.
>> local network: something.net, 192.168.1.0/24
>> gateway: gw.something.net, 192.168.1.1
>> Web server: wsrv.something.net, 192.168.1.2
>>
>> The port forwarding is done for port 80, IP 212.121.0.1, to port 1080,
>> 192.168.1.1 on gw.something.net. Apache on wsrv.something.net is
>> configured to listen on port 1080 and server my public website.
>>
>> Now, if I do a `cat /var/log/apache2/access_log`, I get something like
>>
>> <snap>
>> 192.168.1.1 - - [16/Oct/2005:17:42:09 +0200] "GET /index.php HTTP/1.1"
>> 200 4710
>> </snap>
>>
>>
>> My firewall rules are like this:
>>
>>
>> gw.something.net:
>> ################################################## #######################
>> #!/bin/bash
>> #
>>
>> # flush everything
>> iptables -F
>> iptables -F -t nat
>> iptables -X
>>
>> # default policy: drop everything.
>> iptables -P INPUT DROP
>> iptables -P FORWARD DROP
>> iptables -P OUTPUT DROP
>>
>> # now, do the nat-ting...
>>
>> # allow related package forwarding
>> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>>
>> # Allow forwarded packets
>> iptables -A FORWARD -d 192.168.1.2 -p tcp --dport 1080 \
>> -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>>
>> # Forward packets coming in from the outside
>> iptables -t nat -A PREROUTING \
>> -d 212.121.0.1 -p tcp --dport 80 \
>> -j DNAT --to-destination 192.168.1.2:1080
>>
>> #allow all outgoing traffic from the web server
>> iptables -t nat -A POSTROUTING -o $PUBLIC_IF \
>> -d 192.168.1.2 -p tcp --dport 1080 \
>> -j SNAT --to 192.168.1.1
>>
>> # Make it work from the firewall itself
>> iptables -t nat -A OUTPUT \
>> -d 212.121.0.1 -p tcp --dport 80 \
>> -j DNAT --to-destination 192.168.1.2:1080
>>
>> exit 0
>> ################################################## #######################
>>
>>
>> wsrv.something.net:
>> ################################################## #######################
>> #!/bin/bash
>> #
>>
>> # local network
>> LAN="192.168.1.1/24"
>>
>> # flush everything
>> iptables -F
>> iptables -F -t nat
>> iptables -X
>>
>> # default policy: drop everything.
>> iptables -P INPUT DROP
>> iptables -P FORWARD DROP
>> iptables -P OUTPUT DROP
>>
>> # allow HTTP from gw in, and related out
>> iptables -A INPUT -d 192.168.1.2 -p tcp --dport 1080 -j ACCEPT
>> iptables -A OUTPUT -p tcp --sport 1080 \
>> -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>>
>> exit 0
>> ################################################## #######################
>>
>>
>> What I need is a way to preserve the visitor's IP address, while at the
>> same time restricting access to the web server to local hosts only.
>> Probably, there is a simple way to to it, but I can't think of any.
>>
>> Every help is appreciated very much. Thank you in advance.
>> Lutz
>>
>> P.S.: Please excuse the bad message style, this is my first newsgroup
>> posting.
>
>
> You can make iptables log for connection on gateway to www server in
> local net.
> OR do redirect trafic destinated for www to local www server, Those IP
> should be not NAT'ed.

I thought of the first solution, too. ULOG-ging to a MySQL Database
every IP request. But that would imply to compare the MySQL logs with
apache logs to associate IP-addresses to requests. Besides the enormous
work, this could not be done with 100% certainty...

Redirection sounds better to me. But if I do redirect a request for
212.121.0.1:80 to 192.168.1.1.:1080, I still need to dnat that one to
192.168.1.2:1080, don't I?

Dave {Reply Address in.sig} wrote:
> In message <dj0e0c$8vi$(E-Mail Removed)>, Lutz Brödel
> wrote:
>
>>#allow all outgoing traffic from the web server
>>iptables -t nat -A POSTROUTING -o $PUBLIC_IF \
>>-d 192.168.1.2 -p tcp --dport 1080 \
>>-j SNAT --to 192.168.1.1
>>
>
> I don't like this one. Looking at what I had in the past, I've got this lot
> which allows general access.
>
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
> --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 \
> -j DNAT --to 192.168.1.18:80
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
>
> If you swap the dport from 80 to 1080, $EXTIF is the external port (eth1),
> $INTIF is the internal port (eth0). $EXTIP is the IP address of the
> external interface.
>
Thank you for the hint. I'll work that into the config. :-)


> I don't see why you need to restrict access to local IP addresses only, the
> port forwarding with address rewriting makes you just as vulnerable as
> letting them in without the rewrite.
>
The reason is maintenance. I abstracted the problem reducing it to a
single service on a single machine. In fact, I have several servers
that are running on different IPs
Now, if I have the gateway machine taking in HTTP requests, security
software like port scanners need to run only on this computer. And, I
can more easily replace a faulty web server with another computer, by
simply changing IPs in the configuration. Furthermore, I can redirect
HTTP to on machine (say 192.168.1.2) and SSH to another one (192.168.1.8).

Lutz Brödel wrote:
> Lukas wrote:
>
>>Lutz Brödel wrote:
>>
>>
>>>Dear all,
>>>
>>>if been going mad with this for several weeks, now. Since my web server
>>>is running behind a gateway, I can not keep track of my visitors' IP
>>>addresses any more. The only IP address appearing in the apache's
>>>access_log file is the local IP of the gateway machine.
>>>
>>>My setup is as follows (abstraction):
>>>
>>>I have a public domain "www.something.net" that resolves to the IP
>>>address 212.121.0.1.
>>>local network: something.net, 192.168.1.0/24
>>>gateway: gw.something.net, 192.168.1.1
>>>Web server: wsrv.something.net, 192.168.1.2
>>>
>>>The port forwarding is done for port 80, IP 212.121.0.1, to port 1080,
>>>192.168.1.1 on gw.something.net. Apache on wsrv.something.net is
>>>configured to listen on port 1080 and server my public website.
>>>
>>>Now, if I do a `cat /var/log/apache2/access_log`, I get something like
>>>
>>><snap>
>>>192.168.1.1 - - [16/Oct/2005:17:42:09 +0200] "GET /index.php HTTP/1.1"
>>>200 4710
>>></snap>
>>>
>>>
>>>My firewall rules are like this:
>>>
>>>
>>>gw.something.net:
>>>############################################### ##########################
>>>#!/bin/bash
>>>#
>>>
>>># flush everything
>>>iptables -F
>>>iptables -F -t nat
>>>iptables -X
>>>
>>># default policy: drop everything.
>>>iptables -P INPUT DROP
>>>iptables -P FORWARD DROP
>>>iptables -P OUTPUT DROP
>>>
>>># now, do the nat-ting...
>>>
>>># allow related package forwarding
>>>iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>
>>># Allow forwarded packets
>>>iptables -A FORWARD -d 192.168.1.2 -p tcp --dport 1080 \
>>> -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>>>
>>># Forward packets coming in from the outside
>>>iptables -t nat -A PREROUTING \
>>> -d 212.121.0.1 -p tcp --dport 80 \
>>> -j DNAT --to-destination 192.168.1.2:1080
>>>
>>>#allow all outgoing traffic from the web server
>>>iptables -t nat -A POSTROUTING -o $PUBLIC_IF \
>>> -d 192.168.1.2 -p tcp --dport 1080 \
>>> -j SNAT --to 192.168.1.1
>>>
>>># Make it work from the firewall itself
>>>iptables -t nat -A OUTPUT \
>>> -d 212.121.0.1 -p tcp --dport 80 \
>>> -j DNAT --to-destination 192.168.1.2:1080
>>>
>>>exit 0
>>>############################################### ##########################
>>>
>>>
>>>wsrv.something.net:
>>>############################################### ##########################
>>>#!/bin/bash
>>>#
>>>
>>># local network
>>>LAN="192.168.1.1/24"
>>>
>>># flush everything
>>>iptables -F
>>>iptables -F -t nat
>>>iptables -X
>>>
>>># default policy: drop everything.
>>>iptables -P INPUT DROP
>>>iptables -P FORWARD DROP
>>>iptables -P OUTPUT DROP
>>>
>>># allow HTTP from gw in, and related out
>>>iptables -A INPUT -d 192.168.1.2 -p tcp --dport 1080 -j ACCEPT
>>>iptables -A OUTPUT -p tcp --sport 1080 \
>>> -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>
>>>
>>>exit 0
>>>############################################### ##########################
>>>
>>>
>>>What I need is a way to preserve the visitor's IP address, while at the
>>>same time restricting access to the web server to local hosts only.
>>>Probably, there is a simple way to to it, but I can't think of any.
>>>
>>>Every help is appreciated very much. Thank you in advance.
>>>Lutz
>>>
>>>P.S.: Please excuse the bad message style, this is my first newsgroup
>>>posting.
>>
>>
>>You can make iptables log for connection on gateway to www server in
>>local net.
>>OR do redirect trafic destinated for www to local www server, Those IP
>>should be not NAT'ed.
>
>
> I thought of the first solution, too. ULOG-ging to a MySQL Database
> every IP request. But that would imply to compare the MySQL logs with
> apache logs to associate IP-addresses to requests. Besides the enormous
> work, this could not be done with 100% certainty...
>
> Redirection sounds better to me. But if I do redirect a request for
> 212.121.0.1:80 to 192.168.1.1.:1080, I still need to dnat that one to
> 192.168.1.2:1080, don't I?

hm... this is good question. I think (i didn't test this yet) you don't
have to do DNAT, because if you redirect dest then your destination
adres from 212.121.0.1:80 will change to 192.168.1.1.:1080, the source
address will be not change.
Thinking of DNAT this will be radirection too. hm... You have to check this

Lukas wrote:
> Lutz Brödel wrote:
>
>> Lukas wrote:
>>
>>> Lutz Brödel wrote:
>>>
>>>
>>>> Dear all,
>>>>
>>>> if been going mad with this for several weeks, now. Since my web server
>>>> is running behind a gateway, I can not keep track of my visitors' IP
>>>> addresses any more. The only IP address appearing in the apache's
>>>> access_log file is the local IP of the gateway machine.
>>>>
>>>> My setup is as follows (abstraction):
>>>>
>>>> I have a public domain "www.something.net" that resolves to the IP
>>>> address 212.121.0.1.
>>>> local network: something.net, 192.168.1.0/24
>>>> gateway: gw.something.net, 192.168.1.1
>>>> Web server: wsrv.something.net, 192.168.1.2
>>>>
>>>> The port forwarding is done for port 80, IP 212.121.0.1, to port 1080,
>>>> 192.168.1.1 on gw.something.net. Apache on wsrv.something.net is
>>>> configured to listen on port 1080 and server my public website.
>>>>
>>>> Now, if I do a `cat /var/log/apache2/access_log`, I get something like
>>>>
>>>> <snap>
>>>> 192.168.1.1 - - [16/Oct/2005:17:42:09 +0200] "GET /index.php HTTP/1.1"
>>>> 200 4710
>>>> </snap>
>>>>
>>>>
>>>> My firewall rules are like this:
>>>>
>>>>
>>>> gw.something.net:
>>>> ################################################## #######################
>>>>
>>>> #!/bin/bash
>>>> #
>>>>
>>>> # flush everything
>>>> iptables -F
>>>> iptables -F -t nat
>>>> iptables -X
>>>>
>>>> # default policy: drop everything.
>>>> iptables -P INPUT DROP
>>>> iptables -P FORWARD DROP
>>>> iptables -P OUTPUT DROP
>>>>
>>>> # now, do the nat-ting...
>>>>
>>>> # allow related package forwarding
>>>> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>>
>>>> # Allow forwarded packets
>>>> iptables -A FORWARD -d 192.168.1.2 -p tcp --dport 1080 \
>>>> -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>>>> # Forward packets coming in from the outside
>>>> iptables -t nat -A PREROUTING \
>>>> -d 212.121.0.1 -p tcp --dport 80 \
>>>> -j DNAT --to-destination 192.168.1.2:1080
>>>>
>>>> #allow all outgoing traffic from the web server
>>>> iptables -t nat -A POSTROUTING -o $PUBLIC_IF \
>>>> -d 192.168.1.2 -p tcp --dport 1080 \
>>>> -j SNAT --to 192.168.1.1
>>>>
>>>> # Make it work from the firewall itself
>>>> iptables -t nat -A OUTPUT \
>>>> -d 212.121.0.1 -p tcp --dport 80 \
>>>> -j DNAT --to-destination 192.168.1.2:1080
>>>>
>>>> exit 0
>>>> ################################################## #######################
>>>>
>>>>
>>>>
>>>> wsrv.something.net:
>>>> ################################################## #######################
>>>>
>>>> #!/bin/bash
>>>> #
>>>>
>>>> # local network
>>>> LAN="192.168.1.1/24"
>>>>
>>>> # flush everything
>>>> iptables -F
>>>> iptables -F -t nat
>>>> iptables -X
>>>>
>>>> # default policy: drop everything.
>>>> iptables -P INPUT DROP
>>>> iptables -P FORWARD DROP
>>>> iptables -P OUTPUT DROP
>>>>
>>>> # allow HTTP from gw in, and related out
>>>> iptables -A INPUT -d 192.168.1.2 -p tcp --dport 1080 -j ACCEPT
>>>> iptables -A OUTPUT -p tcp --sport 1080 \
>>>> -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>>
>>>>
>>>> exit 0
>>>> ################################################## #######################
>>>>
>>>>
>>>>
>>>> What I need is a way to preserve the visitor's IP address, while at the
>>>> same time restricting access to the web server to local hosts only.
>>>> Probably, there is a simple way to to it, but I can't think of any.
>>>>
>>>> Every help is appreciated very much. Thank you in advance.
>>>> Lutz
>>>>
>>>> P.S.: Please excuse the bad message style, this is my first newsgroup
>>>> posting.
>>>
>>>
>>>
>>> You can make iptables log for connection on gateway to www server in
>>> local net.
>>> OR do redirect trafic destinated for www to local www server, Those IP
>>> should be not NAT'ed.
>>
>>
>>
>> I thought of the first solution, too. ULOG-ging to a MySQL Database
>> every IP request. But that would imply to compare the MySQL logs with
>> apache logs to associate IP-addresses to requests. Besides the enormous
>> work, this could not be done with 100% certainty...
>>
>> Redirection sounds better to me. But if I do redirect a request for
>> 212.121.0.1:80 to 192.168.1.1.:1080, I still need to dnat that one to
>> 192.168.1.2:1080, don't I?
>
>
> hm... this is good question. I think (i didn't test this yet) you don't
> have to do DNAT, because if you redirect dest then your destination
> adres from 212.121.0.1:80 will change to 192.168.1.1.:1080, the source
> address will be not change.
> Thinking of DNAT this will be radirection too. hm... You have to check this

I did so, but it didn't work out at all. The iptables REDIRECT-Target
always redirects to the local machine's IP, so there exists still the
need to transfer packages destined (now) for 192.168.1.1:1080, to
192.168.1.2:1080.

Does anyone has another idea? Or does someone know a tutorial that deals
with this matter? I didn't find any, neither via Google, nor on tldp.org.