Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Your last rule is the same as a MASQUERADE rule.</p> <p>eg:</p> <pre> iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE </pre> <p>With MASQUERADE or SNAT, you are modifying the source-IP address as it goes through the first server. The 2nd server sees the packet and sends it's response back to that IP, which is then sent back to the client.</p> <p>However, the server sees request as coming from 192.168.1.10 - because that's where it's coming from.</p> <p>client > gateway > iptables-router > server (sees .10) > iptables-router > gateway > client</p> <p>If you remove the MASQUERADE/SNAT, the server sees the real IP, but when it sends the reply, the packet is going to it's default gateway (default route) which is probably your router or a gateway at your data center. The client gets a response back from an IP address it doesn't know about, and doesn't know what to do with it, so it looks like it's not working. Alternatively, the gateway/rputer sees a SYNACK with no associated connection and drops the packet.</p> <p>client > gateway > iptables-router > server > gateway (DROP) or > client (DROP)</p> <p>If you want the server to get the real IP of the client, here are two common ways to make it work:</p> <ol> <li>Set the gateway (default route) of the server to the IP address of the iptables machine (ie: the machine you are running these iptables rules on). In this case, the server sends all external traffic (ie: a response to a random IP address from the internet) to the MAC address of the iptables machine, which is waiting for a reply. iptables will send it back to the client. The webserver machine is <em>behind</em> the iptables machine, using the iptables machine as a router.</li> </ol> <p>client > gateway > iptables-router > server(real IP) > iptables-router > gateway > client</p> <ol> <li>Use an HTTP proxy like nginx which will work the same way you have it working now, with the client only seeing the internal .10 address. However, because it's a proxy, it can send an HTTP header like X-Original-IP-Address: 123.456.789.012 containing the real IP address of the client.</li> </ol> <p>client > gateway > iptables-router > server (sees X-Original-IP header) > iptables-router > gateway > client</p> <p>Best Regards, Neale</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload