with iptables forwarding port to other client but with recognition of original sender ip -

with iptables forwarding port to other client but with recognition of original sender ip -

i have firewall (based on iptables) @ dedicated ubuntu server. have several lan clients.

at 1 of lan clients running software can restrict acces based on ip. me of import can restrict using wan ips not lan ips.

i have configured firewall a/one port forwarded lan client work (solution found @ stackoverflow). far no problems.

however @ lan client not see ip of external sender - think due forwarding - client sees packet coming lan server.

question is: how forwards port on server lan ip different port, lan client recognizes external ip of packet.

lets create more clear:

server lan ip: 192.168.1.10 server port: 8080

should forwarded to: client lan ip: 192.168.1.20 client lan port: 8000

with iptables have:

iptables -t nat -a prerouting -p tcp -i eth0 --dport 8080 -d 192.168.1.10 -j dnat --to 192.168.1.20:8000 iptables -a forwards -p tcp -d 192.168.1.20 --dport 8000 -m state --state new,established,related -j take iptables -t nat -a postrouting -p tcp --dport 8000 -d 192.168.1.20 -j snat --to 192.168.1.10

as written works, when f.i. @ ip 88.77.66.55 sends packet lan client (192.168.1.20) sees packet coming lan server (192.168.1.10) , unfortunately not 88.77.66.55.

can prepare that...?

your lastly rule same masquerade rule.

eg:

iptables -t nat -a postrouting --out-interface eth0 -j masquerade

with masquerade or snat, modifying source-ip address goes through first server. 2nd server sees packet , sends it's response ip, sent client.

however, server sees request coming 192.168.1.10 - because that's it's coming from.

client > gateway > iptables-router > server (sees .10) > iptables-router > gateway > client

if remove masquerade/snat, server sees real ip, when sends reply, packet going it's default gateway (default route) router or gateway @ info center. client gets response ip address doesn't know about, , doesn't know it, looks it's not working. alternatively, gateway/rputer sees synack no associated connection , drops packet.

client > gateway > iptables-router > server > gateway (drop) or > client (drop)

if want server real ip of client, here 2 mutual ways create work:

set gateway (default route) of server ip address of iptables machine (ie: machine running these iptables rules on). in case, server sends external traffic (ie: response random ip address internet) mac address of iptables machine, waiting reply. iptables send client. webserver machine behind iptables machine, using iptables machine router.

client > gateway > iptables-router > server(real ip) > iptables-router > gateway > client

use http proxy nginx work same way have working now, client seeing internal .10 address. however, because it's proxy, can send http header x-original-ip-address: 123.456.789.012 containing real ip address of client.

client > gateway > iptables-router > server (sees x-original-ip header) > iptables-router > gateway > client

best regards, neale

iptables