Gatway displayed in Tomcat HTTP access log

jhuntley · March 31, 2010, 2:09pm

I’m trying to figure out why the gateway is being displayed in the tomcat http access logs instead of the proper remote host. I have the firewall nat rule setup correctly. Everything seems to be working, but I’m not sure if masquerading is working correctly or what. Here’s a few access log entries:

192.168.5.100 - - [31/Mar/2010:08:06:05 -0400] “GET /viewHome.do HTTP/1.1” 200 2748
192.168.5.100 - - [31/Mar/2010:09:52:28 -0400] “GET /viewF18.do HTTP/1.1” 200 22638
192.168.5.100 - - [31/Mar/2010:09:54:48 -0400] “GET /viewDiag.do HTTP/1.1” 200 2968
192.168.5.100 - - [31/Mar/2010:09:54:48 -0400] “GET /viewAddons.do HTTP/1.1” 200 2835
192.168.5.100 - - [31/Mar/2010:09:54:50 -0400] “GET /viewTeam.do HTTP/1.1” 200 3885

For some reason the remote host is shown as the gateway. It’s being replaced, but I’m not sure why.

[admin@MikroTik] > /ip firewall filter print all
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Added by webbox
     chain=input action=accept protocol=icmp 

 1   ;;; Added by webbox
     chain=input action=accept connection-state=established in-interface=ether1 

 2   ;;; Added by webbox
     chain=input action=accept connection-state=related in-interface=ether1 

 3   ;;; Added by webbox
     chain=input action=drop in-interface=ether1 

 4   chain=input action=drop connection-state=invalid 

 5   ;;; Accept established connections
     chain=input action=accept connection-state=established 

 6   ;;; Accept related connections
     chain=input action=accept connection-state=related 

 7   ;;; Drop invalid connections
     chain=input action=drop connection-state=invalid 

 8   ;;; UDP
     chain=input action=accept protocol=udp 

 9   ;;; Allow limited pings
     chain=input action=accept protocol=icmp limit=50/5s,2 

10   ;;; Drop excess pings
     chain=input action=drop protocol=icmp 

12   ;;; SSH for secure shell
     chain=accept_list action=accept protocol=tcp dst-address=192.168.5.148 dst-port=22 

13   ;;; Forward HTTP to webserver
     chain=forward action=accept protocol=tcp dst-address=192.168.5.148 dst-port=80 

14   ;;; Forward HTTPS to webserver
     chain=accept_list action=accept protocol=tcp dst-address=192.168.5.148 dst-port=443

[admin@MikroTik] > /ip firewall nat print all      
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade 

 1   chain=dstnat action=dst-nat to-addresses=192.168.5.148 protocol=tcp dst-address=99.178.175.17 dst-port=80 

 2   chain=dstnat action=dst-nat to-addresses=192.168.5.148 protocol=tcp dst-address=99.178.175.17 dst-port=443 

 3   chain=dstnat action=dst-nat to-addresses=192.168.5.148 protocol=tcp dst-address=99.178.175.17 dst-port=22

ANy help is greatly appreciated!

fewi · March 31, 2010, 2:26pm

You have an unqualified masquerade, which means that all traffic going out any interface will be src-nat’d to an IP address on that interface, including traffic coming from the internet to the LAN - they all get src-nat’d to your LAN router IP. Add ‘out-interface=WAN’ as a qualifier to your masquerade statement.

jhuntley · March 31, 2010, 2:47pm

Arrgg!!! Dude! Fewi!! You rock!! It’s always some subtle detail like that that throws things off. Thanks Fewi!