Website Getting Wrong IP

[Hovercat]

"Router" PC:

Code:

root@NETWORK-SERVER:~# netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 NETWORK-SERVER.loca:ssh 192.168.1.174:4361      ESTABLISHED
tcp        0      0 NETWORK-SERVER.loca:ssh 192.168.1.247:50139     ESTABLISHED

Website PC:

Code:

neroot@asskickersunited-server:~# netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 asskickersunited-se:www 192.168.1.1:50204       TIME_WAIT
tcp        0      0 asskickersunited-se:www 192.168.1.1:50205       TIME_WAIT
tcp        0      0 asskickersunited-se:www 192.168.1.1:58125       TIME_WAIT
tcp        0      0 asskickersunited-se:www 192.168.1.1:58122       TIME_WAIT
tcp        0      0 asskickersunited-se:ssh burns-43144489e:4374    ESTABLISHED

[lmarmisa]

Plase, repeat the command adding the -n option (in this case the reverse DNS is not made):

Code:

luis@UB1010ENG:~$ netstat -t -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 192.168.2.92:51792      66.249.92.104:443       ESTABLISHED
tcp        0      0 192.168.2.92:37146      212.170.244.4:80        ESTABLISHED
tcp        0      0 192.168.2.92:60753      66.249.92.104:80        ESTABLISHED
tcp        0      0 192.168.2.92:38182      213.198.96.37:80        ESTABLISHED
tcp        0      0 192.168.2.92:45853      66.249.92.100:80        ESTABLISHED
tcp        0      0 192.168.2.92:38178      213.198.96.37:80        ESTABLISHED
tcp        0      0 192.168.2.92:60754      66.249.92.104:80        ESTABLISHED
tcp        0      0 192.168.2.92:38183      213.198.96.37:80        ESTABLISHED
tcp        0      0 192.168.2.92:40889      194.30.24.49:80         ESTABLISHED
tcp        0      0 192.168.2.92:38184      213.198.96.37:80        ESTABLISHED
tcp        0      0 192.168.2.92:38881      66.249.92.142:80        TIME_WAIT  
tcp        0      0 192.168.2.92:54529      66.249.92.132:80        ESTABLISHED
tcp        0      0 192.168.2.92:38180      213.198.96.37:80        ESTABLISHED
tcp        0      0 192.168.2.92:38177      213.198.96.37:80        ESTABLISHED
tcp        0      0 192.168.2.92:58396      208.81.234.17:80        ESTABLISHED
tcp        0      0 192.168.2.92:54523      66.249.92.132:80        ESTABLISHED
tcp        0      0 192.168.2.92:45854      66.249.92.100:80        ESTABLISHED
tcp        0      0 192.168.2.92:38155      213.198.96.37:80        ESTABLISHED
tcp        0      0 192.168.2.92:37138      212.170.244.4:80        ESTABLISHED
tcp        0      0 192.168.2.92:38179      213.198.96.37:80        ESTABLISHED
tcp        0      0 192.168.2.92:38185      213.198.96.37:80        ESTABLISHED
tcp        0      0 192.168.2.92:47903      62.97.133.71:80         ESTABLISHED
tcp        0      0 192.168.2.92:45850      66.249.92.100:80        ESTABLISHED
tcp        0      0 192.168.2.92:41132      81.93.215.132:80        ESTABLISHED
tcp        0      0 192.168.2.92:54894      91.216.63.240:80        ESTABLISHED
tcp        0      0 192.168.2.92:38181      213.198.96.37:80        ESTABLISHED
tcp        0      0 192.168.2.92:33251      66.249.92.100:443       ESTABLISHED
tcp        0      0 192.168.2.92:60750      66.249.92.104:80        ESTABLISHED
tcp        0      0 192.168.2.92:38186      213.198.96.37:80        ESTABLISHED
tcp        0      0 192.168.2.92:43137      93.184.220.20:80        ESTABLISHED
tcp        0      0 192.168.2.92:60749      66.249.92.104:80        ESTABLISHED

[Hovercat]

Router PC:

Code:

root@NETWORK-SERVER:~# netstat -t -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 192.168.1.1:22          192.168.1.174:4625      ESTABLISHED
tcp        0      0 192.168.1.1:22          192.168.1.247:50139     ESTABLISHED

Website PC:

Code:

root@asskickersunited-server:~# netstat -t -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 192.168.1.173:80        192.168.1.1:57878       TIME_WAIT
tcp        0      0 192.168.1.173:80        192.168.1.1:55004       TIME_WAIT
tcp        0      0 192.168.1.173:22        192.168.1.174:4397      ESTABLISHED
tcp        0      0 192.168.1.173:22        192.168.1.174:4626      ESTABLISHED
tcp        0  23360 192.168.1.173:80        192.168.1.1:57881       ESTABLISHED
tcp        0      0 192.168.1.173:80        192.168.1.1:55002       TIME_WAIT

[lmarmisa]

My theory seems correct.

Foreign addresses associated to connections to the port 80 of your Website PC are always 192.168.1.1 : portx.

This is wrong (really it is partially wrong).

It is not fully wrong because the NAT is partially operative.

But it is partially wrong because the origin of the connection is unknown for your Website PC.

The implementation of the NAT is not good enough. The rules of iptables should be changed in some way.

NOTE: command netstat is not useful for the Router PC, because the packets are switched and are not delivered to this PC.

[Hovercat]

Do you know how to change this?

[lmarmisa]

I am sorry, but this is out of reach for me.

[Hovercat]

Oh alright.

Well, hopefully someone else will reply!

[lmarmisa]

I have sent a private message to you with my email address. Send me an email if you need more help.

Best regards,

Luis

[SeijiSensei]

What you see is a consequence of these rules:

Code:

-A PREROUTING -d 173.2.167.83/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.173:80
-A POSTROUTING -d 192.168.1.173/32 -j MASQUERADE

The first rewrites inbound requests for 173.2.167.83:80 to have the private address of your server as the destination address. Then the masquerading rule tells the router to rewrite these packets as if it were sending them rather than machines outside. You could try commenting out the MASQUERADE rule and see what happens. It might work the way you want, or it might fail miserably.

One solution I've used in this situation is to run Apache in "reverse proxy" mode on the router.

However I find it more convenient simply to forward the requests directly to the web server. I use an application-level TCP proxy for this task. I compiled a copy from the tarball, but the .deb package on that site might work with Ubuntu as well. In some applications I call tcpproxy from xinetd so I can wrap it with more security restrictions. For instance, at one site I forward inbound SMTP requests to an internal mail server and use /etc/hosts.allow and /etc/hosts.deny with xinetd to block mail from servers located in non-US/CA country-code domains. xinetd invokes tcpproxy when requests matching entries in hosts. allow arrive and refuses to forward any others.

[Hovercat]

Okay, I'll look into that.

Thanks.