Score:0

Forward port on VM and keep source IP

de flag

I want to forward port 80 from the proxy to nginx and keep the original IP. My current structure:

enter image description here

Proxy vm(192.168.0.104) - VM with iptables that redirects all traffic from port 80 to 192.168.106:80  
Nginx vm(192.168.0.106) - VM with default nginx webpage on port 80

For example, I opened a web browser(local ip: 192.168.103) and entered 192.168.0.104 in the address field, then I got the default Nginx web page. In Nginx logs I want to see something like this "192.168.0.103 -- [06/Nov/2022:19:10:38 +0600] ...", where the source IP remains the original

Iptables script on Proxy VM(192.168.0.104)

#!/bin/bash

IPT=/sbin/iptables

echo "Flushing Tables ..."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

# apt install conntrack # if error 
conntrack --flush

IF_IN=enp0s3
PORT_IN=80

IP_OUT=192.168.0.106
PORT_OUT=80

echo "1" > /proc/sys/net/ipv4/ip_forward

$IPT -A PREROUTING -t nat -i $IF_IN -p tcp --dport $PORT_IN -j DNAT --to-destination ${IP_OUT}:${PORT_OUT}
$IPT -A FORWARD -p tcp -i $IF_IN --dport $PORT_OUT -j ACCEPT
$IPT -A POSTROUTING -o $IF_IN -t nat -j MASQUERADE

This configuration allows me to access the web page from local via 192.168.0.104, but does not save my original IP address.
Does anyone know how to do this trick?

Score:0
lr flag

Using iptables to forward traffic and keeping client IP is only possible (using DNAT) if your proxy is also your default gateway or some other routing trickery.

The most suitable options you have (in my opinion) are:

1. DNAT on your router

Configure your proxy VM as a router. Let all traffic for your web server go through this router (default gateway). Next setup Destination NAT on your router

2. Use a L7 proxy

Use a layer 7 proxy which understands HTTP traffic. (nginx, haproxy, ...) This proxy can set an HTTP error which is set to the original client IP.

nginx

Add the following to your configuration:

proxy_set_header   X-Real-IP          $remote_addr;

HAProxy

Add the following to your configuration:

frontend *your_frontend*
  option forwardfor header X-Real-IP
  http-request set-header X-Real-IP %[src]
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.