NAT question (forwarding with subdomains)

NAT question (forwarding with subdomains)

[Paul F. Bernal B. - EasyTeck]

Hi!,

I got an internal 192.168.0.0/24 LAN with about 5 web servers including
the one which has iptables running and internet output ...

in the firewall script:
* INTERNALIF="eth1"
* INTERNALNET="192.168.0.0/24"
* INTERNALBCAST="192.168.0.255"
* EXTERNALIF="eth0"
* MYADDR="200.107.XXX.XXX"

got a rule that works fine that forwards the mail packets to the
192.168.0.2 machine:
$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 25 \
                      -j DNAT --to 192.168.0.2:25
$IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.0.2 --dport 25 -j
ACCEPT

I have a couple subdomains pointing to MYADDR sub1.mydomain.com,
sub2.mydomain.com, etc...

What I need to do is:

When someone in the Internet asks for http://sub1.mydomain.com/ respons
the 192.168.0.3 machine (wich has a web server running port 80)

When someone in the Internet asks for http://sub2.mydomain.com/ responds
the 192.168.0.4 machine (wich has a web server running port 80)

etc., etc., etc...

I've tried something like this, but doesn't works !!!

$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d sub1.mydomain.com
--dport 80 \
                      -j DNAT --to 192.168.0.3:80
$IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.0.3 --dport 80 -j
ACCEPT

Pliz give me a hand on this, thanks in advance ...

----------
don pool

Re: NAT question (forwarding with subdomains)

[Antony Stone]

On Thursday 13 May 2004 6:52 pm, Paul F. Bernal B. - EasyTeck wrote:

> Hi!,
>
> I got an internal 192.168.0.0/24 LAN with about 5 web servers including
> the one which has iptables running and internet output ...

You're running your firewall and a web server on the same machine?   Ugh...

> What I need to do is:
>
> When someone in the Internet asks for http://sub1.mydomain.com/ respons
> the 192.168.0.3 machine (wich has a web server running port 80)
>
> When someone in the Internet asks for http://sub2.mydomain.com/ responds
> the 192.168.0.4 machine (wich has a web server running port 80)

If DNS resolves sub1.mydomain.com and sub2.mydomain.com as two different IP 
addresses, then simple DNAT rules will work here.

If sub1.mydomain.com and sub2.mydomain.com resolve to the same IP address, 
then you cannot do what you want with netfilter (because it works with IP 
addresses and port numbers, not hostnames and domains).

The solution in that case would be Squid or Apache as acceleration proxy 
servers.

Regards,

Antony.

-- 
People who use Microsoft software should be certified.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: NAT question (forwarding with subdomains)

[John A. Sullivan III]

On Thu, 2004-05-13 at 13:52, Paul F. Bernal B. - EasyTeck wrote:
> Hi!,
> 
> I got an internal 192.168.0.0/24 LAN with about 5 web servers including
> the one which has iptables running and internet output ...
> 
> in the firewall script:
> * INTERNALIF="eth1"
> * INTERNALNET="192.168.0.0/24"
> * INTERNALBCAST="192.168.0.255"
> * EXTERNALIF="eth0"
> * MYADDR="200.107.XXX.XXX"
> 
> got a rule that works fine that forwards the mail packets to the
> 192.168.0.2 machine:
> $IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 25 \
>                       -j DNAT --to 192.168.0.2:25
> $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.0.2 --dport 25 -j
> ACCEPT
> 
> I have a couple subdomains pointing to MYADDR sub1.mydomain.com,
> sub2.mydomain.com, etc...
> 
> What I need to do is:
> 
> When someone in the Internet asks for http://sub1.mydomain.com/ respons
> the 192.168.0.3 machine (wich has a web server running port 80)
> 
> When someone in the Internet asks for http://sub2.mydomain.com/ responds
> the 192.168.0.4 machine (wich has a web server running port 80)
> 
> etc., etc., etc...
> 
> I've tried something like this, but doesn't works !!!
> 
> $IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d sub1.mydomain.com
> --dport 80 \
>                       -j DNAT --to 192.168.0.3:80
> $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.0.3 --dport 80 -j
> ACCEPT
> 
> Pliz give me a hand on this, thanks in advance ...
> 
> ----------
> don pool
If I understand you correctly, sub1.mydomain.com and sub2.mydomain.com
both point to the same public address even though you want them to map
to different internal servers.  Publicly, they are only distinguished by
url and not IP.  Is that correct?

If so, iptables will resolve the names to IP addresses when it loads. 
From then on, it will use the IP address to identify the destination and
not the url.  If you want to NAT on the url, you will need some
functionality to read the url from the data portion of the packet and
not the IP portion.  I do not know if there is a iptables patch
available to do that or how such a patch would be used.  Does anyone
else know?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: NAT question (forwarding with subdomains)

[Paul F. Bernal B. - EasyTeck]

Thanks for your response you were right that's what I need and your answer
clear! thanks! if I find any solution to this I'll make you know...

"everybody needs to know something more about everything, 'cause nobody
knows at all!"
----------------
don pool


> On Thursday 13 May 2004 6:52 pm, Paul F. Bernal B. - EasyTeck wrote:
>
>> Hi!,
>>
>> I got an internal 192.168.0.0/24 LAN with about 5 web servers including
>> the one which has iptables running and internet output ...
>
> You're running your firewall and a web server on the same machine?
> Ugh...
>
>> What I need to do is:
>>
>> When someone in the Internet asks for http://sub1.mydomain.com/ respons
>> the 192.168.0.3 machine (wich has a web server running port 80)
>>
>> When someone in the Internet asks for http://sub2.mydomain.com/ responds
>> the 192.168.0.4 machine (wich has a web server running port 80)
>
> If DNS resolves sub1.mydomain.com and sub2.mydomain.com as two different
> IP
> addresses, then simple DNAT rules will work here.
>
> If sub1.mydomain.com and sub2.mydomain.com resolve to the same IP address,
> then you cannot do what you want with netfilter (because it works with IP
> addresses and port numbers, not hostnames and domains).
>
> The solution in that case would be Squid or Apache as acceleration proxy
> servers.
>
> Regards,
>
> Antony.
>
> --
> People who use Microsoft software should be certified.
>
>                                                      Please reply to the
> list;
>                                                            please don't CC
> me.
>
>


----------
Paul F. Bernal B., Ing.
Gerente - EasyTeck

Re: NAT question (forwarding with subdomains)

[Alistair Tonner]

On May 13, 2004 02:17 pm, John A. Sullivan III wrote:
> On Thu, 2004-05-13 at 13:52, Paul F. Bernal B. - EasyTeck wrote:
> > Hi!,
> >
> > I got an internal 192.168.0.0/24 LAN with about 5 web servers including
> > the one which has iptables running and internet output ...
> >
> > in the firewall script:
> > * INTERNALIF="eth1"
> > * INTERNALNET="192.168.0.0/24"
> > * INTERNALBCAST="192.168.0.255"
> > * EXTERNALIF="eth0"
> > * MYADDR="200.107.XXX.XXX"
> >
> > got a rule that works fine that forwards the mail packets to the
> > 192.168.0.2 machine:
> > $IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport
> > 25 \ -j DNAT --to 192.168.0.2:25
> > $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.0.2 --dport 25 -j
> > ACCEPT
> >
> > I have a couple subdomains pointing to MYADDR sub1.mydomain.com,
> > sub2.mydomain.com, etc...
> >
> > What I need to do is:
> >
> > When someone in the Internet asks for http://sub1.mydomain.com/ respons
> > the 192.168.0.3 machine (wich has a web server running port 80)
> >
> > When someone in the Internet asks for http://sub2.mydomain.com/ responds
> > the 192.168.0.4 machine (wich has a web server running port 80)
> >
> > etc., etc., etc...
> >
> > I've tried something like this, but doesn't works !!!
> >
> > $IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d sub1.mydomain.com
> > --dport 80 \
> >                       -j DNAT --to 192.168.0.3:80
> > $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.0.3 --dport 80 -j
> > ACCEPT
> >
> > Pliz give me a hand on this, thanks in advance ...
> >
> > ----------
> > don pool
>
> If I understand you correctly, sub1.mydomain.com and sub2.mydomain.com
> both point to the same public address even though you want them to map
> to different internal servers.  Publicly, they are only distinguished by
> url and not IP.  Is that correct?
>
> If so, iptables will resolve the names to IP addresses when it loads.
>
> >From then on, it will use the IP address to identify the destination and
>
> not the url.  If you want to NAT on the url, you will need some
> functionality to read the url from the data portion of the packet and
> not the IP portion.  I do not know if there is a iptables patch
> available to do that or how such a patch would be used.  Does anyone
> else know?


	Antony is right in this case, especially since there *might* already be a 
webserver running on the firewall ... apache can forward the url requests to 
the appropriate physical hardware ... not something that one wants to do with 
string match since packet fragments will cause *huge* problems (a la POST 
method) 

	This will require *some* sort of proxy -- apache can do this itself, or there 
are a couple of other products that can do this ... but I'd recommend apache 
cache/forward/acceleration methods ...

	Please note  -- I haven't done this recently, but last I tried it didn't 
require forward rules, it required rules in INPUT and OUTPUT since apache 
(local) is actually issuing the request to apache (internal) -- they aren't 
reallly being forwarded by iptables.

	Alistair.