As I understand it, your problem is the internal NAT.

Configure your firewall without doing SNAT or MASQUERADE for packets
destined to the internal server - you can use RETURN rules to do this,
for example.

But, If you can not avoid this ...
Try something like this:
http://engi.neir.org/tips-tricks/fix-apache-proxy-logging/

2013/4/19 Piotr Pawłowski <piotr.pawlowski@goyello.com>:
> Hi All,
>
> I have iptables-based router which provides access to the Internet for servers in LAN.
> Question is: is it possible to somehow 'forward' remote IP address through this router? I have WWW server inside LAN and would like to have reliable access logs. However, right now the only IP address visible in those logs is router one.
>
> Thank you in advance for information.
>
> Best Regards
> ---
> Piotr Pawłowski
>
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html