Hi,
I have a debian box setup as a gateway/firewall using iptables, and a second box to run a web site.

The rules work fine and everything is working.

What I would like to do is to be able to preserve the original ip address of the visitor going to the web server, for log stats, etc. Right now the ip address is always the ip of the gateway/firewall box.

I googled around and it mentions something about using MARK?

Does someone have a howto the can send me to that describes doing this?

Thanks

http://www.bec.at/support/iptables-tutorial/index.html

Sections 10.3.10 and 11.8 at the above link should explain the MARK functionality for you.

Sasha

PS - Welcome to LQ

I looked through that, but it seems to mostly talk about load balancing and splitting isp connections.

There must be a simple example out there for this, I can't believe I am the only one with a setup like this?

Linux firewall box
Linux web box

Simply want originating ip address passed to web box. Seems like a reasonable and common thing to me.

It sounds like you're doing SNAT for inbound packets (typically it's only done for outbound ones). Otherwise, the original source IP addresses on the packets should remain. Please post the output of this from the gateway/firewall:

And actually, regardless of what's happening to the incoming traffic, I would think that a "LOG" target as the first action on the incoming traffic at the firewall box, would accurately record the incoming IP. You could further log the masquerade/DNAT/SNAT traffic rules, so you could if you really wanted to, track what IP's traffic went where.

MARK is often used for marking traffic so that something like a shaper can identify it, though probably other reasons too, but I'm not really sure you need MARK for what you're trying to do.

Anyhow, as Win32sux wrote, posting that output may clarify things.

Sasha

To re-clarify.

I have 2 seperate linux boxes, one for the firewall/gateway and one for the web server.

I need the originating ip address kept in-tact for the web server.

To get traffic from the firewall to the web server I do this:

$IPTABLES -A FORWARD -i $INET_IFACE -o $INET_IFACE2 -p tcp --dport 80 -d 192.168.1.100 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp -dport 80 -j DNAT --to 192.168.1.100

$INET_IFACE is eth0 going the the internet
$INET_IFACE2 is eth1 connecting to the network that has the web server.

This works, but DNAT of course re-writes the incoming ip address from the internet before it is sent to the webserver, so the webserver only sees the ip address assigned to eth1 on the gateway.

Is there another way? The only thing I found so far that is supposed to preserve the ip address as it passes through the firewall is to use the MARK option and a routing table.

DNAT only changes the destination IP. It has nothing to do with the source IP which the server sees. Could you post the requested output please, so that we may see what's going on in your NAT table?

Shoot , I should have done that to begin with. It turns out I had a snat in my iptables config that was messing things up.

Well, thanks for the help. It is doing what I wanted now.

Glad you worked things out. HTH.