iptables NAT port fowarding and Apache log IPs

Thanks to quanta, I can now use iptables to port forward SSH through to servers behind the firewall using a single IP and multiple ports - original question here.

However, if I use this technique to port forward http traffic to an Apache server outside the firewall's LAN, the IP that gets stamped in Apache's log is the firewall's, not the IP of the PC that made the original request.

Is there any was to change this, or is there another field I need in the Apache log to capture this information?

Solution 1:

You need a Layer 4 device (such as squid, apache in proxy mode, or a dedicated load balancer such as an F5 or Netscaler) if you want information about the original host making the request. If you do a straight NAT translation, then all requests will appear (correctly) to be from the host with the public IP address that is connecting to the server.

A Layer 4 device or server can add either a Via:, X-Forwarded-For:, or other arbitrary header to the HTTP request to the server. The server can then (if it desires) use that information about the original client. Netscaler(Citrix) publishes an Apache plugin which allows you to rewrite the apache request with the value of said arbitrary HTTP header, for example.

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more information about the Via: header and what actual information is attached.