DNAT & Host Headers

DNAT & Host Headers

[tim]

[-- Attachment #1: Type: text/plain, Size: 816 bytes --]

First here is the rules within their respective chains: 

iptables -t nat -A PREROUTING -p tcp --dport 80 -d $INTERNET -j DNAT --to $NEMESIS

iptables -A FORWARD -p tcp --dport 80 -d $NEMESIS -j ACCEPT

I'm running this particular web-site with a host header, when I type in the www.mydomain.com address on the browser and the packets hit the prerouting chain then the forward chain how will the communication still know that it is meant for www.mydomain.com

Will this work or do I need to modify the rules in order for my web server to recognize that the information is intended for www.mydomain.com. As it is there are several web-sites within my web-server utilizing the same ip address, including the default web-site.

Any insight will be gratefully appreciated.

Thanks in advance
Tim--Mia/Fla.

[-- Attachment #2: Type: text/html, Size: 1784 bytes --]

DNAT & Host Headers

[Tim]

[-- Attachment #1: Type: text/plain, Size: 816 bytes --]

First here is the rules within their respective chains: 

iptables -t nat -A PREROUTING -p tcp --dport 80 -d $INTERNET -j DNAT --to $NEMESIS

iptables -A FORWARD -p tcp --dport 80 -d $NEMESIS -j ACCEPT

I'm running this particular web-site with a host header, when I type in the www.mydomain.com address on the browser and the packets hit the prerouting chain then the forward chain how will the communication still know that it is meant for www.mydomain.com

Will this work or do I need to modify the rules in order for my web server to recognize that the information is intended for www.mydomain.com. As it is there are several web-sites within my web-server utilizing the same ip address, including the default web-site.

Any insight will be gratefully appreciated.

Thanks in advance
Tim--Mia/Fla.

[-- Attachment #2: Type: text/html, Size: 1797 bytes --]

Re: DNAT & Host Headers

[David Busby]

When using apache the server will look at the HTTP host header which in your
case would be "Host: www.mydomain.com\r\n"
The HTTP headers are contained inside the TCP packet and are not modified by
iptables (in your rules)
So as long as the server can communicate in and out the host name will only
affect the web server
Of course the web server must be configured to look for that host header
name (and alternatives such as mydomain.com) and to listen on the ipaddress
$NEMESIS

HTH

/B

----- Original Message ----- 
From: "Tim" <twrodriguez@earthlink.net>
To: "Netfilter Mailing List" <netfilter@lists.netfilter.org>
Sent: Monday, June 30, 2003 18:33
Subject: DNAT & Host Headers


First here is the rules within their respective chains:

iptables -t nat -A PREROUTING -p tcp --dport 80 -d $INTERNET -j DNAT
--to $NEMESIS

iptables -A FORWARD -p tcp --dport 80 -d $NEMESIS -j ACCEPT

I'm running this particular web-site with a host header, when I type in
the www.mydomain.com address on the browser and the packets hit the
prerouting chain then the forward chain how will the communication still
know that it is meant for www.mydomain.com

Will this work or do I need to modify the rules in order for my web
server to recognize that the information is intended for
www.mydomain.com. As it is there are several web-sites within my
web-server utilizing the same ip address, including the default
web-site.

Any insight will be gratefully appreciated.

Thanks in advance
Tim--Mia/Fla.

RE: DNAT & Host Headers

[George Vieira]

[-- Attachment #1: Type: text/plain, Size: 1817 bytes --]

Connection tracking takes care after the SYN packet. Every connection ALWAYS uses the header (HTTP protocol) even for images and all... except for port 443 which is impossible after it switches to encrypted mode.
 
I have this as a backup for our sites here which if any virtual site fails, I can use a string match to move --string "Host: www.domain.com" to another server and not ALL sites which are working fine..
 
this works well and thank god it hasn't been required yet..

Thanks,

 
____________________________________________
George Vieira
Citadel Computer Systems Pty Ltd Systems Manager georgev AT citadelcomputer DOT com DOT au 
Citadel Computer Systems Pty Ltd
Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698  <http://www.citadelcomputer.com.au/> http://www.citadelcomputer.com.au
 
 
-----Original Message-----
From: Tim [mailto:twrodriguez@earthlink.net]
Sent: Tuesday, July 01, 2003 11:34 AM
To: Netfilter Mailing List
Subject: DNAT & Host Headers


First here is the rules within their respective chains: 
 
iptables -t nat -A PREROUTING -p tcp --dport 80 -d $INTERNET -j DNAT --to $NEMESIS
 
iptables -A FORWARD -p tcp --dport 80 -d $NEMESIS -j ACCEPT
 
I'm running this particular web-site with a host header, when I type in the www.mydomain.com address on the browser and the packets hit the prerouting chain then the forward chain how will the communication still know that it is meant for www.mydomain.com
 
Will this work or do I need to modify the rules in order for my web server to recognize that the information is intended for www.mydomain.com. As it is there are several web-sites within my web-server utilizing the same ip address, including the default web-site.
 
Any insight will be gratefully appreciated.
 
Thanks in advance
Tim--Mia/Fla.
 

[-- Attachment #2: Type: text/html, Size: 5775 bytes --]