Depending on your load on the webserver.. If a proxy of some sort is not possible and you have one grunty firewall that can handle string modules well enough, you can string match the virtual host. I've tested this and it works even though there's a possibility that some packets may be small enough to be fragmented and the string match won't match it but so far it's been OK. I haven't tested it with a large site either.. so really depends if this is a small project or not. I would not use string matching on a production machine where it's critical to get it working 110%... I would rather tell the ISP to supply 2 IPs... Thanks, ____________________________________________ George Vieira Systems Manager georgev@xxxxxxxxxxxxxxxxxxxxxx Citadel Computer Systems Pty Ltd http://www.citadelcomputer.com.au -----Original Message----- From: Afshin Lamei [mailto:linux_st@xxxxxxxxxxx] Sent: Monday, 29 September 2003 10:13 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: publishing 2 web server on one valid IP hi I have 2 web servers in my DMZ. when there was one, I used DNAT to publish the single web server on port 80 of the external interface of my firewall. now I don't know how to distinguish between the requests of 2 web servers, because I have only one IP address available for the external interface. Is there any solution using iptables, to know that which http request must be DNAT to which web server? regards, afshin _________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
