>-----Original Message----- >From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx >[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of >Giovanni Lovato >Sent: dinsdag 13 maart 2007 11:48 >To: netfilter@xxxxxxxxxxxxxxxxxxx >Subject: Matching packets by HTTP header "Host" > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Hi all. >I'm trying to forward packets to different hosts depending on >the "Host" >header in HTTP packets, e.g. packets on port 80 requesting "Host: >one.example.org" to 192.168.0.1 and all other on port 80 to >192.128.0.2. This processing is at a too high level for NetFilter (without proper extensions). You should rather use a HTTP proxy, like squid or apache with proxy module, for this operation. These are capable of handling such requests. >I did: >iptables -t nat -A PREROUTING -p TCP -i eth0 -m string --algo bm >- --string "Host: one.example.org" --destination-port 80 -j DNAT >- --to-destination 192.168.0.1 > >iptables -t nat -A PREROUTING -p TCP -i eth0 >--destination-port 80 -j DNAT --to-destination 192.168.0.2 > >But all packets are going to 192.168.0.2. Do I miss something? The problem is that at connection-time there you cannot make the choice to which server you must connect. This can only be decided when you are already connected. - Joris
