Re: DNAT based on domain name instead of IP address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Good evening, Glen,

On 28 Jan 2004, Glen Lee Edwards wrote:

> I have several domains that use the same IP address.  Can I DNAT them to
> different servers based on domain name instead of IP address using
> iptables?  I've tried the following, but it isn't working:
> 
> iptables -t nat -A PREROUTING -p tcp -d 1st.domain.com --dport 80 -j
> DNAT --to-destination 192.168.1.12:80
> 
> iptables -t nat -A PREROUTING -p tcp -d 2nd.domain.com --dport 80 -j
> DNAT --to-destination 192.168.1.13:80
> 
> Everything is being forwarded to 192.168.1.12 no matter which domain is
> used.  It appears that the domains are first being translated into the
> IP address, which is used instead.

	You're last statement explains what's happening, and you're 
exactly right.  Even if you use domain names on the command line, iptables 
converts them to ip addresses before handing them off to the kernel.

	Iptables isn't really capable of what you're asking; it's 
primarily designed to make choices about packets based on header 
information.  Although some components of it can inspect the payload, it's 
not capable of doing the differentiation you need.
	What you want is a userspace application that can look in the 
payload of the packet and identify the Host: header in an http request, 
and send the connection off to the right web server based on that header.
	One place to start is the squid cache ( 
http://www.squid-cache.org ) and the httpd_accel_* options.
	Cheers,
	- Bill

---------------------------------------------------------------------------
        "We don't want an election without a paper trail...all three
owners of the companies who make these machines are donors to the Bush
administration.  Is this not corruption?"
        -- Gore Vidal
(Courtesy of http://www.laweekly.com/ink/03/52/features-cooper.php)
--------------------------------------------------------------------------
William Stearns (wstearns@xxxxxxxxx).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
--------------------------------------------------------------------------
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux