Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

iptables redirect domain
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
selig
Guru
Guru


Joined: 31 Jul 2005
Posts: 425
Location: Prague, Czech Republic
PostPosted: Tue Jan 12, 2010 8:16 am    Post subject: iptables redirect domain Reply with quote
Hello, I would like to redirect specific domains from one server (IP) to another using iptables.

Will something like this work?

Code:

iptables -t nat -A PREROUTING -d $DOMAIN_NAME -j DNAT --to-destination $SERVER2_IP
iptables -t nat -A POSTROUTING -j MASQUERADE
Back to top
View user's profile Send private message
anello
Guru
Guru


Joined: 17 Jul 2005
Posts: 557
Location: EU -> DE -> Stuttgart
PostPosted: Tue Jan 12, 2010 8:57 am    Post subject: Reply with quote
It will only work, if the domain name has one fixed static IP and it is not taking care of vhosts.

IPtables is resovling the domainnames at the moment you load the rules. If the IP of the domain name changes after the load, the firewall rules won't be aware of the new IP. There is no refreshing until the next reload of the rule!

You may want to look into Apache http_proxy. You can simply redirect the sites/vhosts, while using a different entry server.

Hope that helps!
_________________
Antonino Catinello | http://catinello.eu
Back to top
View user's profile Send private message
selig
Guru
Guru


Joined: 31 Jul 2005
Posts: 425
Location: Prague, Czech Republic
PostPosted: Tue Jan 12, 2010 6:58 pm    Post subject: Reply with quote
I see... thank you for the reply! I need this because of vhosts so I'd better look at the proxying in apache.
Back to top
View user's profile Send private message
Bircoph
Developer
Developer


Joined: 27 Jun 2008
Posts: 261
Location: Moscow
PostPosted: Wed Jan 13, 2010 3:14 am    Post subject: Reply with quote
This also may be done via l7-filter. Of course header analysis will be more expensive than ordinary iptables rules.
_________________
Per aspera ad astra!
Back to top
View user's profile Send private message
tftd
n00b
n00b


Joined: 27 May 2010
Posts: 1
PostPosted: Thu May 27, 2010 4:28 pm    Post subject: Re: iptables redirect domain Reply with quote
selig wrote:
Hello, I would like to redirect specific domains from one server (IP) to another using iptables.

Will something like this work?

Code:

iptables -t nat -A PREROUTING -d $DOMAIN_NAME -j DNAT --to-destination $SERVER2_IP
iptables -t nat -A POSTROUTING -j MASQUERADE


Hey :)

This will work:
Code:

#!/bin/sh
internet='ppp0' # Or the interface on which you see the network
source="0.0.0.0/0.0.0.0" # this will redirect everybody to that port. If you want you may specify only one IP address or an IP range.
domain="redirect.mydomain.com" # the domain/subdomain that will be redirected
sourcePort="22" #the port which you'll redirect.
toDestination="192.168.0.2" #where to redirect to.
destinationPort="22" # on which port to redirect.

iptables -t mangle -P PREROUTING ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $internet --source 0.0.0.0/0.0.0.0 -d $domain --destination-port $serverPort -j DNAT --to-destination $toDestination:$destinationPort


I think that if you remove "--destination-port" and set "--to-destination" only to an IP address it might work. I haven tested it though.
At home I only need a couple of ports being redirected.

You might need to experiment a bit or even compile a new kernel to get that code working. That line is working on my server - slackware 12.2, iptables v1.4.2, Linux whitestar 2.6.32.8.

Hope this helps somebody :)
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21624
PostPosted: Fri May 28, 2010 1:55 am    Post subject: Re: iptables redirect domain Reply with quote
tftd wrote:
This will work:

Hope this helps somebody :)
Setting aside that you woke up a thread that was dormant for more than four months, your proposed solution does not work because the proposed problem cannot be solved purely in iptables. The commands you gave will execute successfully, but will not achieve the goal specified by the original poster. His request was to have two or more DNS A records that point to the same IP address and to have iptables treat the incoming connection differently depending upon which A record was used to find the server's address. This is impossible because TCP/IP does not provide a way for the client to specify what DNS A record (if any) it used to find the server. Higher level protocols, such as HTTP, allow clients to pass along this information, but iptables must make a decision long before the higher level protocol has sent that information. Thus, the vhost approach that he indicated he would pursue is necessary, since that decision can be deferred until the HTTP transaction has sent which hostname was used.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy