Server behind router/firewall only logging the gateway IP address

Discussion in 'Installation/Configuration' started by drewb0y, Oct 13, 2010.

  1. drewb0y

    drewb0y Member

    Resolved: Server behind router/firewall only logging the gateway IP address

    My server sits behind a Fortinet Fortigate 60B router, and all the logs that would normally show an outside IP, only give me the address of the router. Like fail2ban for example.

    Code:
    2010-10-13 01:43:15,964 fail2ban.actions: WARNING [ssh] Ban 192.168.5.1
2010-10-13 01:53:16,012 fail2ban.actions: WARNING [ssh] Unban 192.168.5.1
2010-10-13 03:46:55,088 fail2ban.actions: WARNING [ssh] Ban 192.168.5.1
2010-10-13 03:56:55,128 fail2ban.actions: WARNING [ssh] Unban 192.168.5.1
2010-10-13 08:04:42,632 fail2ban.actions: WARNING [ssh] Ban 192.168.5.1
2010-10-13 08:14:42,680 fail2ban.actions: WARNING [ssh] Unban 192.168.5.1
    Any ideas how to change this? I have NAT enabled in the firewall policies both from the server to the internet and from the internet to the server. Could this be the problem?

    If there is anyone else familiar with the Fortinet devices, please let me know how you would configure it best.

    Thanks!
     
    Last edited: Oct 14, 2010
    drewb0y, Oct 13, 2010
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    As far as I know, this is the normal behaviour of a NAT network. From the view of the server, all requests were coming from the router. I dont think that this can be changed. The only solution that I know is to connect the server to the internet directly.
     
    till, Oct 13, 2010
    #2
  3. drewb0y

    drewb0y Member

    It's not really an issue for now, just makes logging ineffective. I will try disabling the NAT feature and see if that changes or breaks anything.
    When this server gets moved to its production environment at our colocation space, I will probably put it behind the DMZ portion of the router instead of one of the other interfaces. Thanks for your help yet again.
     
    drewb0y, Oct 13, 2010
    #3
  4. drewb0y

    drewb0y Member

    I disabled NAT in the firewall policies both directions and now external IP addresses are being logged correctly for mail or SSH users, for example, instead of just the routers IP address.
     
    drewb0y, Oct 14, 2010
    #4
  5. drewb0y

    drewb0y Member

    Oops. Just for future reference.... If youre behind one of these type firewalls, leave nat enabled on the outbound side or mail sending will stop working.

    Found that out the hard way.
     
    drewb0y, Oct 15, 2010
    #5
  6. Turbanator

    Turbanator Member HowtoForge Supporter

    just curious, what ports did you have open on the router?
    All my ISPC3 servers are behind NAT'd firewalls and I don't have any issues with fail2ban or logging...or anything for that matter.
     
    Turbanator, Oct 17, 2010
    #6
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    He seems to have at least ssh open as the failaban actions are from ssh login attempts.
     
    till, Oct 17, 2010
    #7
  8. drewb0y

    drewb0y Member

    I believe all the ports I had open at the time were
    http
    https
    ssh
    ping
    ntp
    imap
    pop3
    smtp
     
    drewb0y, Oct 17, 2010
    #8
  9. Turbanator

    Turbanator Member HowtoForge Supporter

    and dns I would think.

    well it's working for you now but if you wanted to go back to your previous setup, let me know and I'll work with you on your ISPC3 settings. Again, I'm fully NAT'd behind different routers/firewalls (some SOHO wif's and some smoothwall) and don't have the issue you did.
     
    Turbanator, Oct 18, 2010
    #9

Share This Page