* port translation
@ 2004-01-11 10:21 Romain Moyne
2004-01-11 10:46 ` [despammed] " Andreas Kretschmer
` (3 more replies)
0 siblings, 4 replies; 13+ messages in thread
From: Romain Moyne @ 2004-01-11 10:21 UTC (permalink / raw)
To: netfilter
Hello,
I'm French and my english is bad ;)
I have a http server (debian 3.0) behind a router (debian 3.0). I have a
problem when I want to log the visitor's IP of my website with PHP or
Perl or all language. I have always the IP of my router ! Somebody tell
me that I must do port translation but I have searched and I haven't
fand anything.
Can you help me ?
This is the rules of my router :
iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT
--to-destination 192.168.0.3:80
Romain
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [despammed] port translation
2004-01-11 10:21 port translation Romain Moyne
@ 2004-01-11 10:46 ` Andreas Kretschmer
2004-01-11 11:03 ` Romain Moyne
2004-01-11 11:37 ` Antony Stone
` (2 subsequent siblings)
3 siblings, 1 reply; 13+ messages in thread
From: Andreas Kretschmer @ 2004-01-11 10:46 UTC (permalink / raw)
To: netfilter
am Sun, dem 11.01.2004, um 11:21:17 +0100 mailte Romain Moyne folgendes:
> Hello,
>
> I'm French and my english is bad ;)
I'm German and my english is bad, too ;-)
> I have a http server (debian 3.0) behind a router (debian 3.0). I have a
> problem when I want to log the visitor's IP of my website with PHP or
> Perl or all language. I have always the IP of my router ! Somebody tell
> me that I must do port translation but I have searched and I haven't
> fand anything.
> Can you help me ?
> This is the rules of my router :
>
> iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT
> --to-destination 192.168.0.3:80
With this rule you make a 'DNAT', the WebServer can only see the
Source-IP from your router.
You can install a WebServer or an Proxy for your Webserver on the
router, than you can see the visitor's IP and you can log this.
A other way is to analyse the logged packets on the router.
Andreas
--
Diese Message wurde erstellt mit freundlicher Unterstützung eines freilau-
fenden Pinguins aus artgerechter Freilandhaltung. Er ist garantiert frei
von Micro$oft'schen Viren. (#97922 http://counter.li.org) GPG 7F4584DA
Was, Sie wissen nicht, wo Kaufbach ist? Hier: N 51.05082°, E 13.56889° ;-)
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [despammed] port translation
2004-01-11 10:46 ` [despammed] " Andreas Kretschmer
@ 2004-01-11 11:03 ` Romain Moyne
2004-01-11 11:28 ` Andreas Kretschmer
0 siblings, 1 reply; 13+ messages in thread
From: Romain Moyne @ 2004-01-11 11:03 UTC (permalink / raw)
To: Andreas Kretschmer; +Cc: netfilter
Andreas Kretschmer a écrit :
>am Sun, dem 11.01.2004, um 11:21:17 +0100 mailte Romain Moyne folgendes:
>
>
>>Hello,
>>
>>I'm French and my english is bad ;)
>>
>>
>
>I'm German and my english is bad, too ;-)
>
>
>
>>I have a http server (debian 3.0) behind a router (debian 3.0). I have a
>>problem when I want to log the visitor's IP of my website with PHP or
>>Perl or all language. I have always the IP of my router ! Somebody tell
>>me that I must do port translation but I have searched and I haven't
>>fand anything.
>>Can you help me ?
>>This is the rules of my router :
>>
>>iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT
>>--to-destination 192.168.0.3:80
>>
>>
>
>With this rule you make a 'DNAT', the WebServer can only see the
>Source-IP from your router.
>
>You can install a WebServer or an Proxy for your Webserver on the
>router, than you can see the visitor's IP and you can log this.
>
>A other way is to analyse the logged packets on the router.
>
>
>Andreas
>
>
There isn't another possibility ? I must install a proxy ? (a proxy with
a pentium 133Mhz will run bad ?)
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [despammed] port translation
2004-01-11 11:03 ` Romain Moyne
@ 2004-01-11 11:28 ` Andreas Kretschmer
0 siblings, 0 replies; 13+ messages in thread
From: Andreas Kretschmer @ 2004-01-11 11:28 UTC (permalink / raw)
To: netfilter
am Sun, dem 11.01.2004, um 12:03:57 +0100 mailte Romain Moyne folgendes:
> Andreas Kretschmer a écrit :
> >>iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT
> >>--to-destination 192.168.0.3:80
> >>
> >>
> >
> >With this rule you make a 'DNAT', the WebServer can only see the
> >Source-IP from your router.
> >
> >You can install a WebServer or an Proxy for your Webserver on the
> >router, than you can see the visitor's IP and you can log this.
> >
> >A other way is to analyse the logged packets on the router.
> >
> >
> >Andreas
> >
> >
> There isn't another possibility ? I must install a proxy ? (a proxy with
> a pentium 133Mhz will run bad ?)
You can use "... -j ULOG" bevor the PREROUTING-Rule to an
userspace-program for logging and analyze the packets.
If you have enougt memory, you can also use a proxy without caching.
Sorry, but I have no experience with ULOG-target, and I can't say more
about the average through a Proxy like Squid, but I think, with 64 MByte
RAM this is no problem.
Andreas
--
Diese Message wurde erstellt mit freundlicher Unterstützung eines freilau-
fenden Pinguins aus artgerechter Freilandhaltung. Er ist garantiert frei
von Micro$oft'schen Viren. (#97922 http://counter.li.org) GPG 7F4584DA
Was, Sie wissen nicht, wo Kaufbach ist? Hier: N 51.05082°, E 13.56889° ;-)
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: port translation
2004-01-11 10:21 port translation Romain Moyne
2004-01-11 10:46 ` [despammed] " Andreas Kretschmer
@ 2004-01-11 11:37 ` Antony Stone
2004-01-11 12:43 ` Cedric Blancher
2004-01-16 22:32 ` Bill Davidsen
3 siblings, 0 replies; 13+ messages in thread
From: Antony Stone @ 2004-01-11 11:37 UTC (permalink / raw)
To: netfilter
On Sunday 11 January 2004 10:21 am, Romain Moyne wrote:
> Hello,
>
> I'm French and my english is bad ;)
>
> I have a http server (debian 3.0) behind a router (debian 3.0). I have a
> problem when I want to log the visitor's IP of my website with PHP or
> Perl or all language. I have always the IP of my router ! Somebody tell
> me that I must do port translation but I have searched and I haven't
> fand anything.
> Can you help me ?
> This is the rules of my router :
>
> iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT
> --to-destination 192.168.0.3:80
Do you have another rule, in your POSTROUTING chain, for allowing packets out
of your network? Something such as:
iptables -A POSTROUTING -t nat -j MASQUERADE
or maybe
iptables -A POSTROUTING -t nat -j SNAT --to MyIP
If you do, then simply change this rule to specify the external interface of
your firewall, so that it doesn't do SNAT on packets coming in towards your
webserver. For example:
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
or
iptables -A POSTROUTING -t nat -o eth0 -j SNAT --to MyIP
assuming that eth0 is your external interface.
Antony.
--
My New Year's resolution is not to make any resolutions I can't keep.
I'm wondering whether I've failed already.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: port translation
2004-01-11 10:21 port translation Romain Moyne
2004-01-11 10:46 ` [despammed] " Andreas Kretschmer
2004-01-11 11:37 ` Antony Stone
@ 2004-01-11 12:43 ` Cedric Blancher
2004-01-11 12:53 ` Romain Moyne
2004-01-16 22:32 ` Bill Davidsen
3 siblings, 1 reply; 13+ messages in thread
From: Cedric Blancher @ 2004-01-11 12:43 UTC (permalink / raw)
To: Romain Moyne; +Cc: netfilter
Le dim 11/01/2004 à 11:21, Romain Moyne a écrit :
> I have a http server (debian 3.0) behind a router (debian 3.0). I have a
> problem when I want to log the visitor's IP of my website with PHP or
> Perl or all language. I have always the IP of my router ! Somebody tell
> me that I must do port translation but I have searched and I haven't
> fand anything.
> Can you help me ?
> This is the rules of my router :
> iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT
> --to-destination 192.168.0.3:80
You have a problem here. This single rule does not prevent your
webserver from seeing client IP as source, as you only modify
destination IP.
You may have a SNAT rule in POSTROUTING chain that is not restricting
enough and also SNAT incoming traffic to your router's IP when it should
not.
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: port translation
2004-01-11 12:43 ` Cedric Blancher
@ 2004-01-11 12:53 ` Romain Moyne
2004-01-11 13:03 ` Antony Stone
2004-01-11 13:32 ` Cedric Blancher
0 siblings, 2 replies; 13+ messages in thread
From: Romain Moyne @ 2004-01-11 12:53 UTC (permalink / raw)
To: Cedric Blancher; +Cc: netfilter
Cedric Blancher a écrit :
>Le dim 11/01/2004 à 11:21, Romain Moyne a écrit :
>
>
>>I have a http server (debian 3.0) behind a router (debian 3.0). I have a
>>problem when I want to log the visitor's IP of my website with PHP or
>>Perl or all language. I have always the IP of my router ! Somebody tell
>>me that I must do port translation but I have searched and I haven't
>>fand anything.
>>Can you help me ?
>>This is the rules of my router :
>>iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT
>>--to-destination 192.168.0.3:80
>>
>>
>
>You have a problem here. This single rule does not prevent your
>webserver from seeing client IP as source, as you only modify
>destination IP.
>
>You may have a SNAT rule in POSTROUTING chain that is not restricting
>enough and also SNAT incoming traffic to your router's IP when it should
>not.
>
>
>
Ok. I begin to understand... Now I have corrected my rules :
iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source My_ip_on_internet
But now I have a new problem : My router, my http server and my
workstation are connected with a hub.
ppp0
eth0
INTERNET--------------------192.168.0.1(router)
---------------------------192.168.0.3 (http server)
|
|
|
192.168.0.2 (workstation)
I can't access to my webserver with my workstation and it very painful....
Can you still help me ? :-D
Romain
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: port translation
2004-01-11 12:53 ` Romain Moyne
@ 2004-01-11 13:03 ` Antony Stone
2004-01-11 13:32 ` Cedric Blancher
1 sibling, 0 replies; 13+ messages in thread
From: Antony Stone @ 2004-01-11 13:03 UTC (permalink / raw)
To: netfilter
On Sunday 11 January 2004 12:53 pm, Romain Moyne wrote:
> Ok. I begin to understand... Now I have corrected my rules :
> iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source
> My_ip_on_internet
That looks better.
> But now I have a new problem : My router, my http server and my
> workstation are connected with a hub.
>
> ppp0
> eth0
> INTERNET--------------------192.168.0.1(router)
> ---------------------------192.168.0.3 (http server)
> 192.168.0.2 (workstation)
>
> I can't access to my webserver with my workstation and it very painful....
Are you trying to access the webserver by IP address or by hostname?
If by IP address, make sure it is the private (real) address.
If by hostname, make sure your DNS correctly resolves internal queries to the
internal address and external queries to the external address.
The correct solution to this problem, of course, is that you should have your
web server on a separate ("DMZ") interface, because it is accessible from
both the internal and external networks, and should be kept separate from
both, for both security and routing reasons.
Regards,
Antony.
--
Most people are aware that the Universe is big.
- Paul Davies, Professor of Theoretical Physics
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: port translation
2004-01-11 12:53 ` Romain Moyne
2004-01-11 13:03 ` Antony Stone
@ 2004-01-11 13:32 ` Cedric Blancher
2004-01-11 13:45 ` Romain Moyne
1 sibling, 1 reply; 13+ messages in thread
From: Cedric Blancher @ 2004-01-11 13:32 UTC (permalink / raw)
To: Romain Moyne; +Cc: netfilter
Le dim 11/01/2004 à 13:53, Romain Moyne a écrit :
> Ok. I begin to understand... Now I have corrected my rules :
> iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source My_ip_on_internet
OK, fine. Now it should work ;)
> But now I have a new problem : My router, my http server and my
> workstation are connected with a hub.
[Snip ASCII art]
> I can't access to my webserver with my workstation and it very painful....
> Can you still help me ? :-D
To complete Antony's answer, trying to reach your webserver from your
LAN with its public IP is a common issue that constitue a FAQ.
We will describe what happens when your workstation (WS) tries to
connect to your Webserver (WB) via your router (R) public IP (PPP0).
WS sends a SYN to R, port 80
SYN : WS -> PPP0
R receive the SYN and DNAT it to WB, port 80
SYN : WS -> WB
WB receive the SYN and answers.
SYN,ACK : WB -> WS
But, as WB and WS are on the same network, WB answers directly to WS,
without using R as gateway. So, WS receive a SYN,ACK from WB, but was
waiting for a SYN,ACK from PPP0. That's why the connection fails.
To address this issue, you have to SNAT this kind of connection on the
router so WB answers through R :
iptables -t nat -A POSTROUTING -s $LAN -d $WB -j SNAT --to $ETH0
I completly agree Antony's advice on DMZ use. From security point of
vue, redirecting a service within LAN is a major architectural flaw.
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: port translation
2004-01-11 13:32 ` Cedric Blancher
@ 2004-01-11 13:45 ` Romain Moyne
2004-01-11 13:55 ` Antony Stone
0 siblings, 1 reply; 13+ messages in thread
From: Romain Moyne @ 2004-01-11 13:45 UTC (permalink / raw)
To: Cedric Blancher; +Cc: netfilter
Cedric Blancher a écrit :
>Le dim 11/01/2004 à 13:53, Romain Moyne a écrit :
>
>
>>Ok. I begin to understand... Now I have corrected my rules :
>>iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source My_ip_on_internet
>>
>>
>
>OK, fine. Now it should work ;)
>
>
>
>>But now I have a new problem : My router, my http server and my
>>workstation are connected with a hub.
>>
>>
>[Snip ASCII art]
>
>
>>I can't access to my webserver with my workstation and it very painful....
>>Can you still help me ? :-D
>>
>>
>
>To complete Antony's answer, trying to reach your webserver from your
>LAN with its public IP is a common issue that constitue a FAQ.
>
>We will describe what happens when your workstation (WS) tries to
>connect to your Webserver (WB) via your router (R) public IP (PPP0).
>
> WS sends a SYN to R, port 80
> SYN : WS -> PPP0
>
> R receive the SYN and DNAT it to WB, port 80
> SYN : WS -> WB
>
> WB receive the SYN and answers.
> SYN,ACK : WB -> WS
>
>But, as WB and WS are on the same network, WB answers directly to WS,
>without using R as gateway. So, WS receive a SYN,ACK from WB, but was
>waiting for a SYN,ACK from PPP0. That's why the connection fails.
>
>To address this issue, you have to SNAT this kind of connection on the
>router so WB answers through R :
>
> iptables -t nat -A POSTROUTING -s $LAN -d $WB -j SNAT --to $ETH0
>
>
What must I write instead of $LAN and $ETH0 ?
>I completly agree Antony's advice on DMZ use. From security point of
>vue, redirecting a service within LAN is a major architectural flaw.
>
>
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: port translation
2004-01-11 13:45 ` Romain Moyne
@ 2004-01-11 13:55 ` Antony Stone
2004-01-11 14:03 ` Romain Moyne
0 siblings, 1 reply; 13+ messages in thread
From: Antony Stone @ 2004-01-11 13:55 UTC (permalink / raw)
To: netfilter
On Sunday 11 January 2004 1:45 pm, Romain Moyne wrote:
> Cedric Blancher a écrit :
>
> > iptables -t nat -A POSTROUTING -s $LAN -d $WB -j SNAT --to $ETH0
>
> What must I write instead of $LAN and $ETH0 ?
$LAN is the network range of the machines you might have packets coming from
(note it is the source address in the above rule) and $ETH0 is the IP address
of the interface on your netfilter machine.
Perhaps $LAN=192.168.0.0/24 and $ETH0=192.168.0.1 for your network?
Antony.
--
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: port translation
2004-01-11 13:55 ` Antony Stone
@ 2004-01-11 14:03 ` Romain Moyne
0 siblings, 0 replies; 13+ messages in thread
From: Romain Moyne @ 2004-01-11 14:03 UTC (permalink / raw)
To: Antony Stone; +Cc: netfilter
Antony Stone a écrit :
>On Sunday 11 January 2004 1:45 pm, Romain Moyne wrote:
>
>
>
>>Cedric Blancher a écrit :
>>
>>
>>
>>> iptables -t nat -A POSTROUTING -s $LAN -d $WB -j SNAT --to $ETH0
>>>
>>>
>>What must I write instead of $LAN and $ETH0 ?
>>
>>
>
>$LAN is the network range of the machines you might have packets coming from
>(note it is the source address in the above rule) and $ETH0 is the IP address
>of the interface on your netfilter machine.
>
>Perhaps $LAN=192.168.0.0/24 and $ETH0=192.168.0.1 for your network?
>
>Antony.
>
>
>
Thanks to everybody ! It works fine now ;)
Thanks you
Romain
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: port translation
2004-01-11 10:21 port translation Romain Moyne
` (2 preceding siblings ...)
2004-01-11 12:43 ` Cedric Blancher
@ 2004-01-16 22:32 ` Bill Davidsen
3 siblings, 0 replies; 13+ messages in thread
From: Bill Davidsen @ 2004-01-16 22:32 UTC (permalink / raw)
To: netfilter
Romain Moyne wrote:
> Hello,
>
> I'm French and my english is bad ;)
>
> I have a http server (debian 3.0) behind a router (debian 3.0). I have a
> problem when I want to log the visitor's IP of my website with PHP or
> Perl or all language. I have always the IP of my router ! Somebody tell
> me that I must do port translation but I have searched and I haven't
> fand anything.
> Can you help me ?
> This is the rules of my router :
>
> iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT
> --to-destination 192.168.0.3:80
Something wrong here... you would see the IP of the router if you were
doing MASQUERADE, but not with DNAT. I have a similar setup, and my mail
server filters LOTS of addresses by IP.
You should be sure you don't have a leftover MASQUERADE (or SNAT) rule
which is being used, then run tcpdump on the internal NIC of the router
and catch the packets as they leave. DNAT does just what you want, and I
have a fair number of machines running as routers which don't have this
problem.
--
bill davidsen <davidsen@tmr.com>
CTO TMR Associates, Inc
Doing interesting things with small computers since 1979
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2004-01-16 22:32 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-01-11 10:21 port translation Romain Moyne
2004-01-11 10:46 ` [despammed] " Andreas Kretschmer
2004-01-11 11:03 ` Romain Moyne
2004-01-11 11:28 ` Andreas Kretschmer
2004-01-11 11:37 ` Antony Stone
2004-01-11 12:43 ` Cedric Blancher
2004-01-11 12:53 ` Romain Moyne
2004-01-11 13:03 ` Antony Stone
2004-01-11 13:32 ` Cedric Blancher
2004-01-11 13:45 ` Romain Moyne
2004-01-11 13:55 ` Antony Stone
2004-01-11 14:03 ` Romain Moyne
2004-01-16 22:32 ` Bill Davidsen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.