White List IP behind VPN

Issues related to configuring your network
Post Reply
anoluck
Posts: 2
Joined: 2017/10/28 22:23:07

White List IP behind VPN

Post by anoluck » 2017/10/28 22:50:30

Hello, Im Anoluck and new to the forum. I didn't realize there was a forum strictly for CentOS users. I been working in CentOS for about 8 months now so im still a noob but Im glad I found this place. I have enough knowledge in networking to be dangerous but not enough to be a expert so I have a weird setup. :D

I have an interesting setup so bear with me.
Example:

I'm using FirewallD with rich-rules

I'm currently VPN-ing into Company A.

CentOS 7
ISP IP: 1.2.3.4 (Not Important)
Company A IP: 8.8.8.8
Company A Assign My Server IP: 192.168.0.100
My WebServer Listening Port: 8080

I forward 8080 from 8.8.8.8 to 192.168.0.100

When a visitor visit IP 8.8.8.8:8080 they are transfer to my webserver.
I want to be able to white list specific IP but base on log at...
/var/log/messages
it appears all my visitors IP doesnt show up correctly.
Their IP is shown as SRC: 8.8.8.8 ----> DST:192.168.0.100 DPT:8080

So far I white listed 8.8.8.8 into my server but it doesn't give me control over which specific IP can Access my Server.
Now when I'm in my own NAT/Network I see their IP when they try to visit my server.
Only when I VPN-ing shows the Company A IP instead of the visitor IP.
Is there a way to make the visitor IP show up when I VPN into company A network?

TLDR: When using my ISP and behind my router, a visitor who visit my webserver I can see their IP in the log, but when I'm behind a Company VPN using thier IP, visitors who visit my server are mask by the Company IP.

pjsr2
Posts: 614
Joined: 2014/03/27 20:11:07

Re: White List IP behind VPN

Post by pjsr2 » 2017/10/31 16:22:12

If I understand your description of the problem correct, your companies 8.8.8.8 is a proxy that forwards requests to 8.8.8.8:8080 to 192.168.0.100:8080.

It is correct that you see in the log files of 192.168.0.100 the address 8.8.8.8 as the source address.

Usually a proxy server adds the original source IP address in a special HTTP header named X-Forwarded-For that is included in the request.
Some proxies use different names for this header.

Post Reply