This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Logging actual source IP

Hi all. Here's a real dumb question...

I have several applications like phpBB, Gallery, Chat, FileShares, Squirelmail etc, behind ASL and I noticed recently, doooh!, that if an internet user goes into any of these apps, the IP that is logged is my firewall's 192. network instead of their actual IP.

So, for example, my firewalls internal IP is 192.168.1.1 and my apps server is 192.168.1.3. A user coming in browsing my BB is logged as 192.168.1.1 and not his actual internet IP.

Have I misconfigured something or is that how it is with ASL?

Any suggestion or recommendation is mucho appreciated.

Thanks!
jav

This thread was automatically locked due to age.

Parents

0 javelin over 20 years ago
Hello again.

I've been away for sometime and didn't get a chance to implement everyone's suggestion. I appreciate everyone's time for helping me out.

I used the following NAT as some have suggested but I can't get to my webserver from the internet:

Code:

Name Match Parameters SRC Translation DST Translation
web_services Any -> inwall (Address) / HTTP None amed/HTTP

Packet Filter Rules:
Source             Service              Destination
Any    0.0.0.0/0   HTTP    0.0.0.0/0    amed

Here's my network configuration. To the eye of the experienced, you may see the problem right away. But for a novice like me, I'm still wondering around.

ASL SERVER:Code:

# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
24.nnn.nn.1     0.0.0.0         255.255.255.255 UH        0 0          0 eth2
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
68.nnn.nn.0     0.0.0.0         255.255.254.0   U         0 0          0 eth2
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         24.nnn.nn.1     0.0.0.0         UG        0 0          0 eth2

where:
24.nnn.nn.1 is my Forwarding Name Servers or eth2
192.168.1.0 is my internal network or eth0
68.nnn.nn.0 is my external network or eth2

ifconfig eth0:
eth0    Link encap:Ethernet  HWaddr 00:03:6D:10:93:96
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

ifconfig eth2:
eth2    Link encap:Ethernet  HWaddr 00:50:FC:78:3D:41
          inet addr:68.n.n.n  Bcast:255.255.255.255  Mask:255.255.254.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1

WEBSERVER:
# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1

ifconfig eth1:
eth1    Link encap:Ethernet  HWaddr 00:20:35:68:6B:3A
          inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0

Any suggestion and ideas you can provide me is greatly appreciated...

Thanks!
jav
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 javelin over 20 years ago
Hello again.

I've been away for sometime and didn't get a chance to implement everyone's suggestion. I appreciate everyone's time for helping me out.

I used the following NAT as some have suggested but I can't get to my webserver from the internet:

Code:

Name Match Parameters SRC Translation DST Translation
web_services Any -> inwall (Address) / HTTP None amed/HTTP

Packet Filter Rules:
Source             Service              Destination
Any    0.0.0.0/0   HTTP    0.0.0.0/0    amed

Here's my network configuration. To the eye of the experienced, you may see the problem right away. But for a novice like me, I'm still wondering around.

ASL SERVER:Code:

# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
24.nnn.nn.1     0.0.0.0         255.255.255.255 UH        0 0          0 eth2
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
68.nnn.nn.0     0.0.0.0         255.255.254.0   U         0 0          0 eth2
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         24.nnn.nn.1     0.0.0.0         UG        0 0          0 eth2

where:
24.nnn.nn.1 is my Forwarding Name Servers or eth2
192.168.1.0 is my internal network or eth0
68.nnn.nn.0 is my external network or eth2

ifconfig eth0:
eth0    Link encap:Ethernet  HWaddr 00:03:6D:10:93:96
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

ifconfig eth2:
eth2    Link encap:Ethernet  HWaddr 00:50:FC:78:3D:41
          inet addr:68.n.n.n  Bcast:255.255.255.255  Mask:255.255.254.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1

WEBSERVER:
# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1

ifconfig eth1:
eth1    Link encap:Ethernet  HWaddr 00:20:35:68:6B:3A
          inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0

Any suggestion and ideas you can provide me is greatly appreciated...

Thanks!
jav
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BarryG over 20 years ago in reply to javelin

Take a look at the packetfilter live log while having someone try to get to your webserver.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

0 javelin over 20 years ago in reply to BarryG

[ QUOTE ]
Take a look at the packetfilter live log while having someone try to get to your webserver.
Barry

[/ QUOTE ]

Hi Barry.

I did as you suggested but I didn't see the source IP being dropped or rejected. However, looking at the Current Connection Tracking, I noticed the following:
Code:

tcp      6 116 SYN_SENT src=151.nnn.nnn.nnn dst=68.nnn.nn.nnn sport=44913 dport=80 [UNREPLIED] src=192.168.1.3 dst=151.nnn.nnn.nnn sport=80 dport=44913 use=1

The webserver(192.168.1.3) never returned a SYN_ACK to the external source IP(151.nnn.nnn.nnn) so that connection just sits there until it times out.

Here's my Current System NAT Rules:
Code:

Chain USR_OUTPUT (1 references)
pkts bytes target     prot opt in     out     source               destination
   18  1080 DNAT       tcp  --  *      *       0.0.0.0/0            68.188.84.235       tcp spts:1024:65535 dpt:80 to:192.168.1.3:80

Chain USR_PRE (1 references)
pkts bytes target     prot opt in     out     source               destination
    6   384 DNAT       tcp  --  *      *       0.0.0.0/0            68.188.84.235       tcp spts:1024:65535 dpt:80 to:192.168.1.3:80

Now, with source translation(not what I want but just to show the difference):
Code:

tcp      6 97 SYN_SENT src=151.nnn.nnn.nnn dst=68.nnn.nn.nnn sport=53871 dport=80 [UNREPLIED] src=192.168.1.3 dst=151.nnn.nnn.nnn sport=80 dport=53871 use=1
tcp      6 115 TIME_WAIT src=151.nnn.nnn.nnn dst=68.nnn.nn.nnn sport=54218 dport=80 src=192.168.1.3 dst=192.168.1.1 sport=80 dport=54218 [ASSURED] use=1

In this case the external source IP received a confirmation(through sourcing using ASL's 192.168.1.1 network) and the communication continues.

What could be preventing the webserver(192.168.1.3 with DNAT) from sending back an ACK? Are there any other logs that I should be looking at?

Any other thoughts, ideas, or suggestion is much appreciated. With you and others continuing to provide an input, I'm sure the answer will arise soon...I've not given up yet... [:S]

Thanks!
jav

0 BarryG over 20 years ago in reply to javelin

Looks like you don't have a gateway set on your webserver!

set it to the DMZ ASL address (192.168.1.1 probably)

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 javelin over 20 years ago in reply to BarryG
[ QUOTE ]
Looks like you don't have a gateway set on your webserver!

set it to the DMZ ASL address (192.168.1.1 probably)

Barry

[/ QUOTE ]

Barry, you're a wonderful person! You and everyone who have put time and effort to help me out I hereby extend my humble gratitude.

With your last suggestion, and my thanks to firebear as well who had the right idea but I've managed to overlooked, finally was the right solution to my seemingly difficult problem.

Soon after I reconfigured my webserver to use ASL(192.168.1.1) as  the default gateway, source IPs are now being logged accurately and in fact.

For those who may run into this same issue, the following is the command I used in my webserver to set my default gateway:
Code:

/sbin/route add default gw 192.168.1.1

where 192.168.1.1 is my ASL's secondary interface

[root@amed logs]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0

tcp      6 79 TIME_WAIT src=151.nnn.nnn.nnn dst=68.nnn.nn.nnn sport=56546 dport=80 src=192.168.1.3 dst=151.nnn.nnn.nnn sport=80 dport=56546 [ASSURED] use=1

SYN_ACK is sent from the webserver and received from the client and communication continues.

I would have given up if not for everyone's patience and persistence. I've learned a great deal. I appreciate everyone's help and I'm very thankful.

jav
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 20 years ago in reply to javelin

OK.
What you've done will only last until the next reboot of your server.
You should be able to permanently set the gateway on it.

Look at /etc/sysconfig/network on the server.
there should be a
GATEWAY=
line there. put your ASL's DMZ IP into that.

Barry
Cancel
Vote Up 0 Vote Down

Cancel