iptables and apache logs - Website Analytics - Tracking and Logging forum at WebmasterWorld - WebmasterWorld

Forum Moderators: DixonJones

Message Too Old, No Replies

iptables and apache logs

connecting iptables log to apache log

rwyarbrough

4:04 am on Jan 20, 2004 (gmt 0)

10+ Year Member

Does anyone know how to attach iptables or the iptables log to the apache log?

I use awstats for reporting who is viewing my websites. Before, I was using a cheap DSL Router/Switch and the apache log captured the correct ip addresses for the requestor. I switched to using a linux f/w (iptables) / router which impacted the apache logs and now every “hit" is registered as coming from the ppp0 port of the linux f/w router and not the "real" end user due to how iptables port forwards. I configured iptables to log the ip address for the end user accessing port 80. I found a little iptables log analysis utility, but not sure it how beneficial it will be for attaching it to the apache log.

Is there a way to pass the end user ip address from iptables to the apache log? That seems to me to be the easiest solution. If I can't, how do I combine the two logs. It looks like there is only one entry for the initial forward in the iptables log and the apache log has multiple entries as it logs every object accessed. Seems like there would have to be some logic to tie the multiple apache log entries to the single iptables entry.

OR - Is there another way to do this?

Any help would be appreciated

Thanks in advance.

bakedjake

5:58 pm on Jan 21, 2004 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

What you've described shouldn't be happening (duh, thanks Jake). Really, though, iptables shouldn't be affecting the requestor IP in your apache logs, unless you've got it set up as a reverse proxy instead of a port forwarder.

Let's start with your apache configuration - can you output the <virtualhost> directive, examplifying the relevant sections?

Thanks.

rwyarbrough

12:06 am on Jan 22, 2004 (gmt 0)

10+ Year Member

<

[edited by: rwyarbrough at 2:19 am (utc) on Jan. 22, 2004]

rwyarbrough

12:12 am on Jan 22, 2004 (gmt 0)

10+ Year Member

#

[edited by: rwyarbrough at 2:19 am (utc) on Jan. 22, 2004]

rwyarbrough

1:55 am on Jan 22, 2004 (gmt 0)

10+ Year Member

AH HA... Figured it out...

I commented out the following line in my iptables script:
iptables -t nat -A POSTROUTING -p tcp --dst 192.168.123.1 --dport 80 -j SNAT --t
o-source $PPPOE

and I now capture the enduser IP address in the apache log although I can not assess the site from behind the firewall unless I connect internally, meaning I will have to use a public proxy server to test connectivity from the outside "perspective"... no big deal......

any idea why this happens this way?

bakedjake

5:19 pm on Jan 22, 2004 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

any idea why this happens this way?

-j SNAT --to-source $PPPOE

[netfilter.org...]

Source NAT is specified using `-j SNAT', and the `--to-source' option

You're doing source NAT. Stop it, and your problem should go away. :)

rwyarbrough

5:32 pm on Jan 22, 2004 (gmt 0)

10+ Year Member

Thanks for your responses... because of the lack of responses from any of the places/forums I posed this question to, I was beginning to think I really asked a dumb one and people were too busy laughing to respond...

It was a iptables "cookbook" webpage that stated I needed to put the SNAT in so I could access the website from behind the firewall when using the outside address as opposed to the internal one. (which proved to be true, just didn't realize it would impact apache logging that way!)

I'm old enough to know better.... I should read the manual thoroughly before "cooking" the "recipe"
<smile>