Re: Matching packets by HTTP header "Host"

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@lists.netfilter.org
Subject: Re: Matching packets by HTTP header "Host"
Date: Tue, 13 Mar 2007 19:38:08 +0100	[thread overview]
Message-ID: <45F6EF90.3040504@plouf.fr.eu.org> (raw)
In-Reply-To: <45F68159.5040606@aldu.net>

Hello,

Giovanni Lovato a écrit :
> 
> I'm trying to forward packets to different hosts depending on the "Host"
> header in HTTP packets, e.g. packets on port 80 requesting "Host:
> one.example.org" to 192.168.0.1 and all other on port 80 to 192.128.0.2.
> I did:
> 
> iptables -t nat -A PREROUTING -p TCP -i eth0 -m string --algo bm
> - --string "Host: one.example.org" --destination-port 80 -j DNAT
> - --to-destination 192.168.0.1
> 
> iptables -t nat -A PREROUTING -p TCP -i eth0 --destination-port 80 -j
> DNAT --to-destination 192.168.0.2
> 
> But all packets are going to 192.168.0.2. Do I miss something?

Rules in the 'nat' table apply only to the first packet of a new 
connection. NAT operations for the whole connection is determined by the 
NAT rules applied to the first (SYN) packet of the connection, which 
does not contain any HTTP payload data such as the "Host" header. So the 
first rule never matches a packet. As suggested, use a HTTP proxy instead.

next prev parent reply	other threads:[~2007-03-13 18:38 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-03-13 10:47 Matching packets by HTTP header "Host" Giovanni Lovato
2007-03-13 11:15 ` Joris Dobbelsteen
2007-03-13 18:38 ` Pascal Hambourg [this message]
2007-03-13 18:50   ` Giovanni Lovato

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=45F6EF90.3040504@plouf.fr.eu.org \
    --to=pascal.mail@plouf.fr.eu.org \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox