nat problems

nat problems

[Andrés Suárez]

Hi:

I'm new to this list, and I have a problem that I don't know if is solved yet, 
but I really need help.

I have a linux machine, with one public IP address, running dns, www, smtp, 
and other services. I have some domains hosted on this machine. Those domains 
have the same IP, because I have only one. That is working fine, I can see 
all of my domains, send mails from and to my machine. Thouse domains are 
visible to and from the internet.

My problem begins here. I want to host one of this domains on other computer, 
inside my local network. This computer have a private IP. 
I create a rule on my iptable, that change the destination address for that 
domain:
iptables -t nat -A PREROUTING -s 0/0 -d mydomain.com -i eth0 -p tcp --dport 80 
-j DNAT --to 10.0.0.2

eth0 is the ethernet card that is connected to the internet. mydomain.com is 
the domain that I want to host on the local machine wich have the local ip 
10.0.0.2

That make that all the traffic on the port 80, goes to the 10.0.0.2 ip, and 
the other domains, on the machine connected to the internet, goes to that ip 
too, and I want ONLY that domain redirect to the private network, to make a 
some kind of dedicated server, using one public ip, and some virtual servers 
on the main maiche (wich is connected to the internet and have the public 
ip).

Thanks,

Andres Suarez
Webmaster
http://www.colservers.com

Re: nat problems

[Bjørn Ruberg]

On Tue, 2002-11-05 at 07:03, Andrés Suárez wrote:
> Hi:
> 
> I'm new to this list, and I have a problem that I don't know if is solved yet, 
> but I really need help.
> 
> I have a linux machine, with one public IP address, running dns, www, smtp, 
> and other services. I have some domains hosted on this machine. Those domains 
> have the same IP, because I have only one. That is working fine, I can see 
> all of my domains, send mails from and to my machine. Thouse domains are 
> visible to and from the internet.
> 
> My problem begins here. I want to host one of this domains on other computer, 
> inside my local network. This computer have a private IP. 
> I create a rule on my iptable, that change the destination address for that 
> domain:
> iptables -t nat -A PREROUTING -s 0/0 -d mydomain.com -i eth0 -p tcp --dport 80 
> -j DNAT --to 10.0.0.2
> 
> eth0 is the ethernet card that is connected to the internet. mydomain.com is 
> the domain that I want to host on the local machine wich have the local ip 
> 10.0.0.2
> 
> That make that all the traffic on the port 80, goes to the 10.0.0.2 ip, and 
> the other domains, on the machine connected to the internet, goes to that ip 
> too, and I want ONLY that domain redirect to the private network, to make a 
> some kind of dedicated server, using one public ip, and some virtual servers 
> on the main maiche (wich is connected to the internet and have the public 
> ip).

The HTTP protocol, which is used on your web server to hand out the web
pages people ask for, is able to distinguish which domain name is
requested even (or rather particularly) the different domains' web sites
are served from the same IP address. This is what is called vhosts. In
detail, a web browser contacts your IP address and asks for a given
domain's web site. This is a feature of the HTTP protocol (1).

Iptables is not able to make such distinctions (and shouldn't either),
because it operates at lower levels (2) than the HTTP protocol. 
Iptables makes its decisions quite some time before even asking for a
given domain name is an issue, and as such, *all* requests to your web
site will be routed to your 10.0.0.2 server.

You see, when you run your iptables rule given above, iptables checks to
see which IP address 'mydomain.com' has, and then decides that all port
80 access to this IP should be sent to 10.0.0.2. This will of course
affect any port 80 service you are running.

Maybe apache (I assume that's what you use) has an option for internal
rerouting of web sites, I don't know. Check with
http://httpd.apache.org/ for any apache features.

Hope this helps,

Bjørn

(1) Yeah, I know it's version specific.
(2) iptables handles layer 3 and layer 4 in the OSI layer model, while
HTTP is at [5-7] in the same model.