HTTP Forwarding

[milind]

Hello i am forwarding HTTP request to a internal server, it is
quiet successful but access logs donot show the ip of the
external machine.
Rather it shows the ip of the machine on which i have enabled
port forwarding instead of the user's machine.

[Irithori]

This is one way of solving this
IP Transparency module for Apache Webserver | Zeus Technology

The apache modules is exclusive to zeus, obviously.
But the general idea might be useable to your solution as well.

[nplusplus]

How are you doing port forwarding? Are you using a home router or something else?

[milind]

Hello,

Thanks for your replies.

Basically the router is a CentOS machine(R1) having a public IP. The CentOS system have two NIC (Public and Private). There are two other CentOS(S1 and S2) machines having private IP. Port forwarding is done from R1 to S1 and S2. I have managed to forward Ports of R1 to S1 and S2 but the http request headers are getting altered with R1 Private IP. What I want R1 to do is, not to alter the packet header with its own IP. It should directly pass through the callers IP to S1 or S2 which I think is known as Transparent Forwarding.

Please assist.

[Mudgen]

You'll need to give some specifics of how you're doing the port forwarding. iptables? ssh tunnel? Apache reverse proxy (not actually port forwarding)?

[milind]

You'll need to give some specifics of how you're doing the port forwarding. iptables? ssh tunnel? Apache reverse proxy (not actually port forwarding)?

I am using iptables for port forwarding.

[nplusplus]

In that case, what is your iptables config?

If you want to do port forwarding, you should be using a "DNAT" target (i.e. -j DNAT) in the PREROUTING chain.

For instance, I believe you should run the following command assuming your private destination IP is 192.168.1.5 and your router/firewall's public interface is eth0.

iptables -t nat -A PREROUTING -i eth0 -p tcp -m mport --dports 80,443 -j DNAT --to 192.168.1.5 -m comment --comment "Destination NAT http and https to the web server"

Of course, I believe you will also need to add a rule allowing http and https traffic to 192.168.1.5, as in:

iptables -t filter -I RH-Firewall-1-INPUT 1 -p tcp -d 192.168.1.5 -m mport --dports 80,443 -j ACCEPT -m comment --comment "Allow http and https to the web server"

If you want a little round-robin action...

iptables -t nat -A PREROUTING -i eth0 -p tcp -m mport --dports 80,443 -j DNAT --to 192.168.1.5-192.168.1.6 -m comment --comment "Destination NAT http and https to the web cluster"

Let me know if this helps.

Regards,
N

[milind]

Hello,
Thank you for your reply.

I think I have sorted the issue. Basically what I wanted was to pass through the packets without any alteration. Thus I came across the "mangle" constraint of "iptables". I set that rule in the POSTROUTING action. And thus things seem to work the way I wanted. All I wanted is the Masquerade enabled machine to avoid packet alteration basically the IP and directly pass the packet to the internal server.