DNAT based on domain name instead of IP address

DNAT based on domain name instead of IP address

[Glen Lee Edwards]

I have several domains that use the same IP address.  Can I DNAT them to
different servers based on domain name instead of IP address using
iptables?  I've tried the following, but it isn't working:

iptables -t nat -A PREROUTING -p tcp -d 1st.domain.com --dport 80 -j
DNAT --to-destination 192.168.1.12:80

iptables -t nat -A PREROUTING -p tcp -d 2nd.domain.com --dport 80 -j
DNAT --to-destination 192.168.1.13:80

Everything is being forwarded to 192.168.1.12 no matter which domain is
used.  It appears that the domains are first being translated into the
IP address, which is used instead.

Glen

Re: DNAT based on domain name instead of IP address

[John A. Sullivan III]

On Wed, 2004-01-28 at 18:22, Glen Lee Edwards wrote:
> I have several domains that use the same IP address.  Can I DNAT them to
> different servers based on domain name instead of IP address using
> iptables?  I've tried the following, but it isn't working:
> 
> iptables -t nat -A PREROUTING -p tcp -d 1st.domain.com --dport 80 -j
> DNAT --to-destination 192.168.1.12:80
> 
> iptables -t nat -A PREROUTING -p tcp -d 2nd.domain.com --dport 80 -j
> DNAT --to-destination 192.168.1.13:80
> 
> Everything is being forwarded to 192.168.1.12 no matter which domain is
> used.  It appears that the domains are first being translated into the
> IP address, which is used instead.
> 
> Glen

I'm going to go way out on a limb here and speculate so if someone who
has actually looked at the code tells you otherwise, please listen to
them and not me!

I would assume that netfilter is only operating at layer 3.  I believe
from an earlier enlightening post from Anthony Stone(?) that all domain
names are resolved to IP addresses when the rule is loaded and the rule
uses the layer three information, i.e., the IP address, to evaluate the
rule.

It sounds like you need something that will operate on the layer 7 data
since that's where the url/uri information is going to be.  Perhaps a
proxy like squid has the ability to redirect traffic based upon layer 7
information.

I'm quite curious to see how you ultimately resolve this.  Good luck -
John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: DNAT based on domain name instead of IP address

[Erik Bourget]

Glen Lee Edwards <glen@holiness.ch> writes:

> I have several domains that use the same IP address.  Can I DNAT them to
> different servers based on domain name instead of IP address using
> iptables?  I've tried the following, but it isn't working:
>
> iptables -t nat -A PREROUTING -p tcp -d 1st.domain.com --dport 80 -j
> DNAT --to-destination 192.168.1.12:80
>
> iptables -t nat -A PREROUTING -p tcp -d 2nd.domain.com --dport 80 -j
> DNAT --to-destination 192.168.1.13:80
>
> Everything is being forwarded to 192.168.1.12 no matter which domain is
> used.  It appears that the domains are first being translated into the
> IP address, which is used instead.

TCP packets know nothing of DNS ... an application will 1) look up the name at
a DNS server, 2) retrieve the IP from the DNS server, and 3) connect to the IP
address.

Apache can do virtual domains ... HTTP 1.1 requires that you specify the
domain name.

- Erik

Re: DNAT based on domain name instead of IP address

[William Stearns]

Good evening, Glen,

On 28 Jan 2004, Glen Lee Edwards wrote:

> I have several domains that use the same IP address.  Can I DNAT them to
> different servers based on domain name instead of IP address using
> iptables?  I've tried the following, but it isn't working:
> 
> iptables -t nat -A PREROUTING -p tcp -d 1st.domain.com --dport 80 -j
> DNAT --to-destination 192.168.1.12:80
> 
> iptables -t nat -A PREROUTING -p tcp -d 2nd.domain.com --dport 80 -j
> DNAT --to-destination 192.168.1.13:80
> 
> Everything is being forwarded to 192.168.1.12 no matter which domain is
> used.  It appears that the domains are first being translated into the
> IP address, which is used instead.

	You're last statement explains what's happening, and you're 
exactly right.  Even if you use domain names on the command line, iptables 
converts them to ip addresses before handing them off to the kernel.

	Iptables isn't really capable of what you're asking; it's 
primarily designed to make choices about packets based on header 
information.  Although some components of it can inspect the payload, it's 
not capable of doing the differentiation you need.
	What you want is a userspace application that can look in the 
payload of the packet and identify the Host: header in an http request, 
and send the connection off to the right web server based on that header.
	One place to start is the squid cache ( 
http://www.squid-cache.org ) and the httpd_accel_* options.
	Cheers,
	- Bill

---------------------------------------------------------------------------
        "We don't want an election without a paper trail...all three
owners of the companies who make these machines are donors to the Bush
administration.  Is this not corruption?"
        -- Gore Vidal
(Courtesy of http://www.laweekly.com/ink/03/52/features-cooper.php)
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
--------------------------------------------------------------------------

Re: DNAT based on domain name instead of IP address

[Shawn]

Doesn't apache have the smarts to figure it out on its own? I've never
put squid in as an incomming request proxy server. I don't know that
squid or apache will give you quite what you want though.

1st, determine if you /really/ need two servers (.12 and .13). I think a
single apache can have multiple document roots based on the domain in
the URL requested.

2nd, if you do think you need 2 servers, figure out why exactly and if
you can solve the problem from some other angle.

3rd, if you really need it, I think L7 filtering is how you want to go,
but I can't guide you. I've not yet found a problem to solve with L7 for
myself.

On Wed, 2004-01-28 at 17:45, John A. Sullivan III wrote:
> On Wed, 2004-01-28 at 18:22, Glen Lee Edwards wrote:
> > I have several domains that use the same IP address.  Can I DNAT them to
> > different servers based on domain name instead of IP address using
> > iptables?  I've tried the following, but it isn't working:
> > 
> > iptables -t nat -A PREROUTING -p tcp -d 1st.domain.com --dport 80 -j
> > DNAT --to-destination 192.168.1.12:80
> > 
> > iptables -t nat -A PREROUTING -p tcp -d 2nd.domain.com --dport 80 -j
> > DNAT --to-destination 192.168.1.13:80
> > 
> > Everything is being forwarded to 192.168.1.12 no matter which domain is
> > used.  It appears that the domains are first being translated into the
> > IP address, which is used instead.
> > 
> > Glen
> 
> I'm going to go way out on a limb here and speculate so if someone who
> has actually looked at the code tells you otherwise, please listen to
> them and not me!
> 
> I would assume that netfilter is only operating at layer 3.  I believe
> from an earlier enlightening post from Anthony Stone(?) that all domain
> names are resolved to IP addresses when the rule is loaded and the rule
> uses the layer three information, i.e., the IP address, to evaluate the
> rule.
> 
> It sounds like you need something that will operate on the layer 7 data
> since that's where the url/uri information is going to be.  Perhaps a
> proxy like squid has the ability to redirect traffic based upon layer 7
> information.
> 
> I'm quite curious to see how you ultimately resolve this.  Good luck -
> John

Re: DNAT based on domain name instead of IP address

[Shawn]

Yeah, only he does not have any "one true apache" server answering. I
thnik that is, however, what he /should/ do.

On Wed, 2004-01-28 at 17:47, Erik Bourget wrote:
> Glen Lee Edwards <glen@holiness.ch> writes:
> 
> > I have several domains that use the same IP address.  Can I DNAT them to
> > different servers based on domain name instead of IP address using
> > iptables?  I've tried the following, but it isn't working:
> >
> > iptables -t nat -A PREROUTING -p tcp -d 1st.domain.com --dport 80 -j
> > DNAT --to-destination 192.168.1.12:80
> >
> > iptables -t nat -A PREROUTING -p tcp -d 2nd.domain.com --dport 80 -j
> > DNAT --to-destination 192.168.1.13:80
> >
> > Everything is being forwarded to 192.168.1.12 no matter which domain is
> > used.  It appears that the domains are first being translated into the
> > IP address, which is used instead.
> 
> TCP packets know nothing of DNS ... an application will 1) look up the name at
> a DNS server, 2) retrieve the IP from the DNS server, and 3) connect to the IP
> address.
> 
> Apache can do virtual domains ... HTTP 1.1 requires that you specify the
> domain name.
> 
> - Erik
> 
>