Re: Matching packets by HTTP header "Host"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Giovanni Lovato a écrit :

I'm trying to forward packets to different hosts depending on the "Host"
header in HTTP packets, e.g. packets on port 80 requesting "Host:
one.example.org" to 192.168.0.1 and all other on port 80 to 192.128.0.2.
I did:

iptables -t nat -A PREROUTING -p TCP -i eth0 -m string --algo bm
- --string "Host: one.example.org" --destination-port 80 -j DNAT
- --to-destination 192.168.0.1

iptables -t nat -A PREROUTING -p TCP -i eth0 --destination-port 80 -j
DNAT --to-destination 192.168.0.2

But all packets are going to 192.168.0.2. Do I miss something?

Rules in the 'nat' table apply only to the first packet of a new connection. NAT operations for the whole connection is determined by the NAT rules applied to the first (SYN) packet of the connection, which does not contain any HTTP payload data such as the "Host" header. So the first rule never matches a packet. As suggested, use a HTTP proxy instead.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux