Matching packets by HTTP header "Host"

Matching packets by HTTP header "Host"

[Giovanni Lovato]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all.
I'm trying to forward packets to different hosts depending on the "Host"
header in HTTP packets, e.g. packets on port 80 requesting "Host:
one.example.org" to 192.168.0.1 and all other on port 80 to 192.128.0.2.
I did:

iptables -t nat -A PREROUTING -p TCP -i eth0 -m string --algo bm
- --string "Host: one.example.org" --destination-port 80 -j DNAT
- --to-destination 192.168.0.1

iptables -t nat -A PREROUTING -p TCP -i eth0 --destination-port 80 -j
DNAT --to-destination 192.168.0.2

But all packets are going to 192.168.0.2. Do I miss something?

Regards,
G.L.
- --
www.aldu.net/~heruan
giovanni.lovato@aldu.net
ldaps://pgpkeys.aldu.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF9oFZaWLXrn9dopwRAjfbAKCAyWaZ5h/1w9Bvaj5aOhmsj0GIgACfXbbM
l3+Z0tatK47gMv7iMANg6u4=
=LAJU
-----END PGP SIGNATURE-----

RE: Matching packets by HTTP header "Host"

[Joris Dobbelsteen]

>-----Original Message-----
>From: netfilter-bounces@lists.netfilter.org 
>[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
>Giovanni Lovato
>Sent: dinsdag 13 maart 2007 11:48
>To: netfilter@lists.netfilter.org
>Subject: Matching packets by HTTP header "Host"
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi all.
>I'm trying to forward packets to different hosts depending on 
>the "Host"
>header in HTTP packets, e.g. packets on port 80 requesting "Host:
>one.example.org" to 192.168.0.1 and all other on port 80 to 
>192.128.0.2.

This processing is at a too high level for NetFilter (without proper
extensions).
You should rather use a HTTP proxy, like squid or apache with proxy
module, for this operation. These are capable of handling such requests.

>I did:
>iptables -t nat -A PREROUTING -p TCP -i eth0 -m string --algo bm
>- --string "Host: one.example.org" --destination-port 80 -j DNAT
>- --to-destination 192.168.0.1
>
>iptables -t nat -A PREROUTING -p TCP -i eth0 
>--destination-port 80 -j DNAT --to-destination 192.168.0.2
>
>But all packets are going to 192.168.0.2. Do I miss something?

The problem is that at connection-time there you cannot make the choice
to which server you must connect. This can only be decided when you are
already connected.

- Joris

Re: Matching packets by HTTP header "Host"

[Pascal Hambourg]

Hello,

Giovanni Lovato a écrit :
> 
> I'm trying to forward packets to different hosts depending on the "Host"
> header in HTTP packets, e.g. packets on port 80 requesting "Host:
> one.example.org" to 192.168.0.1 and all other on port 80 to 192.128.0.2.
> I did:
> 
> iptables -t nat -A PREROUTING -p TCP -i eth0 -m string --algo bm
> - --string "Host: one.example.org" --destination-port 80 -j DNAT
> - --to-destination 192.168.0.1
> 
> iptables -t nat -A PREROUTING -p TCP -i eth0 --destination-port 80 -j
> DNAT --to-destination 192.168.0.2
> 
> But all packets are going to 192.168.0.2. Do I miss something?

Rules in the 'nat' table apply only to the first packet of a new 
connection. NAT operations for the whole connection is determined by the 
NAT rules applied to the first (SYN) packet of the connection, which 
does not contain any HTTP payload data such as the "Host" header. So the 
first rule never matches a packet. As suggested, use a HTTP proxy instead.

Re: Matching packets by HTTP header "Host"

[Giovanni Lovato]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pascal Hambourg wrote:
> Hello,
>
> Giovanni Lovato a écrit :
>>
>> I'm trying to forward packets to different hosts depending on the "Host"
>> header in HTTP packets, e.g. packets on port 80 requesting "Host:
>> one.example.org" to 192.168.0.1 and all other on port 80 to 192.128.0.2.
>> I did:
>>
>> iptables -t nat -A PREROUTING -p TCP -i eth0 -m string --algo bm
>> - --string "Host: one.example.org" --destination-port 80 -j DNAT
>> - --to-destination 192.168.0.1
>>
>> iptables -t nat -A PREROUTING -p TCP -i eth0 --destination-port 80 -j
>> DNAT --to-destination 192.168.0.2
>>
>> But all packets are going to 192.168.0.2. Do I miss something?
>
> Rules in the 'nat' table apply only to the first packet of a new
> connection. NAT operations for the whole connection is determined by the
> NAT rules applied to the first (SYN) packet of the connection, which
> does not contain any HTTP payload data such as the "Host" header. So the
> first rule never matches a packet. As suggested, use a HTTP proxy instead.

Thank you all.
I used Apache mod_proxy_http to gain my needs!

G.L.
- --
www.aldu.net/~heruan
giovanni.lovato@aldu.net
ldaps://pgpkeys.aldu.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF9vKJaWLXrn9dopwRAm8AAJ9QJ/EkKwVh6+rNrLGRABVT/gqz5ACfbw1Y
AV92Cm4Mo4AlN/2zcDEXiUU=
=NNvp
-----END PGP SIGNATURE-----