Suricata

I have a test like this:

My env:

os:debian 8

A:172.20.0.1 (gateway  suricata v3.2 )

B:172.20.0.2  (App Server)

C:172.20.0.3  (Client)

My network:

client(C)  ----> gateway suricata A (ids)  -----> AppServer B

My suricata build info:

wget https://github.com/inliniac/suricata/archive/suricata-3.2.zip
    unar suricata-3.2.zip
    cd suricata-3.2
    git clone https://github.com/OISF/libhtp.git
    ./configure --enable-nfqueue --enable-pfring --enable-hiredis --prefix=/usr --sysconfdir=/etc --localstatedir=/var
    make
    make install
    make install-conf
    make install-rules

And load only a test rule:

alert http any any -> any any (msg:"http test"; content:"GET";) #no.1
    alert tcp any any -> any any (msg:"tcp test"; content:"GET";) #no.2
    alert tcp any any -> any any (msg:"tcp http test"; content:"GET";http_method;) #no.3

A:172.20.0.1 (gateway suricata) OS info:

echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -F
    iptables -F
    iptables -A FORWARD -j ACCEPT

Client send a request as

'http://172.20.0.2/test'

tail the fast.log. Only the #no.2 rule is matched

I have try opened the nat with iptables like:

iptables -t nat -A POSTROUTING -j MASQUERADE

And this time the #no.1 #no.2 #no.3 rules matched

But, The nat was opened that the appserver didn`t get the right client ip

address.

And now , I want use the 7 layer protocol something parameters like
http_uri,http_method and so on. The nat must be closed.

I want the right way ~ ~ ~ Thanks!