From: Shawn <core@enodev.com>
To: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
Cc: Glen Lee Edwards <glen@holiness.ch>,
"netfilter@lists.netfilter.org" <netfilter@lists.netfilter.org>
Subject: Re: DNAT based on domain name instead of IP address
Date: Wed, 28 Jan 2004 18:01:23 -0600 [thread overview]
Message-ID: <1075334483.11612.25.camel@localhost> (raw)
In-Reply-To: <1075333547.1902.34.camel@jasiiitosh.nexusmgmt.com>
Doesn't apache have the smarts to figure it out on its own? I've never
put squid in as an incomming request proxy server. I don't know that
squid or apache will give you quite what you want though.
1st, determine if you /really/ need two servers (.12 and .13). I think a
single apache can have multiple document roots based on the domain in
the URL requested.
2nd, if you do think you need 2 servers, figure out why exactly and if
you can solve the problem from some other angle.
3rd, if you really need it, I think L7 filtering is how you want to go,
but I can't guide you. I've not yet found a problem to solve with L7 for
myself.
On Wed, 2004-01-28 at 17:45, John A. Sullivan III wrote:
> On Wed, 2004-01-28 at 18:22, Glen Lee Edwards wrote:
> > I have several domains that use the same IP address. Can I DNAT them to
> > different servers based on domain name instead of IP address using
> > iptables? I've tried the following, but it isn't working:
> >
> > iptables -t nat -A PREROUTING -p tcp -d 1st.domain.com --dport 80 -j
> > DNAT --to-destination 192.168.1.12:80
> >
> > iptables -t nat -A PREROUTING -p tcp -d 2nd.domain.com --dport 80 -j
> > DNAT --to-destination 192.168.1.13:80
> >
> > Everything is being forwarded to 192.168.1.12 no matter which domain is
> > used. It appears that the domains are first being translated into the
> > IP address, which is used instead.
> >
> > Glen
>
> I'm going to go way out on a limb here and speculate so if someone who
> has actually looked at the code tells you otherwise, please listen to
> them and not me!
>
> I would assume that netfilter is only operating at layer 3. I believe
> from an earlier enlightening post from Anthony Stone(?) that all domain
> names are resolved to IP addresses when the rule is loaded and the rule
> uses the layer three information, i.e., the IP address, to evaluate the
> rule.
>
> It sounds like you need something that will operate on the layer 7 data
> since that's where the url/uri information is going to be. Perhaps a
> proxy like squid has the ability to redirect traffic based upon layer 7
> information.
>
> I'm quite curious to see how you ultimately resolve this. Good luck -
> John
next prev parent reply other threads:[~2004-01-29 0:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-28 23:22 DNAT based on domain name instead of IP address Glen Lee Edwards
2004-01-28 23:45 ` John A. Sullivan III
2004-01-29 0:01 ` Shawn [this message]
2004-01-28 23:47 ` Erik Bourget
2004-01-29 0:02 ` Shawn
2004-01-28 23:59 ` William Stearns
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1075334483.11612.25.camel@localhost \
--to=core@enodev.com \
--cc=glen@holiness.ch \
--cc=john.sullivan@nexusmgmt.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.