Problem was localized – MASQUERADE (it’s modifying original source-IP).
Question is closed, because problem not in port forwarding, but in configuration in general of router server. Thanks all.
The main problem is that I can’t understand from where users connect to me.
If someone could tell me what to read and where to dig – it will be great. Caus I even can’t formulate keywords for searching in google 🙂
There is two servers on Debian.
First one is router with IP 77.121.*.* (static Internet IP) and second one – with IP 192.168.0.2 (internal web-server).
First server doing port forwarding to second on ports 80, 443 + some other.
When open access.log on 192.168.0.2 I’ve got something like that:
77.121.*.* - - [10/Dec/2015:13:31:54 +0200] "GET /SOME_PATH HTTP/1.1" 200 3350 "-" "Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/ 20100101 Firefox/44.0"
As you see most of IP connected going from router and I can’t understand from where users connect to me.
I don’t care internal user IP but if someone connect from outside I need to know that. For now I can’t.
I haven’t access to the router server not physical nor over ssh (another department) but I could ask to change some parameters on it if needed.
I’m sure that “outside” server use this command:
iptables -A PREROUTING -t nat -d 77.121.*.* -p tcp --dport 80 -j DNAT --to 192.168.0.2:80
plus one more (can’t remember what) for internal users.
Will try to analyze packets and recompile nginx with ngx_http_realip_module on Monday (Michael Hampton’s suggestion). (done)
Your outside server is reverse proxying to your inside server, not port forwarding.
You can get the “real” IP addresses in the inside server’s logs by configuring the nginx real IP module on the inside server.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.