View previous topic :: View next topic |
Author |
Message |
selig Guru
Joined: 31 Jul 2005 Posts: 425 Location: Prague, Czech Republic
|
Posted: Tue Jan 12, 2010 8:16 am Post subject: iptables redirect domain |
|
|
Hello, I would like to redirect specific domains from one server (IP) to another using iptables.
Will something like this work?
Code: |
iptables -t nat -A PREROUTING -d $DOMAIN_NAME -j DNAT --to-destination $SERVER2_IP
iptables -t nat -A POSTROUTING -j MASQUERADE
|
|
|
Back to top |
|
|
anello Guru
Joined: 17 Jul 2005 Posts: 557 Location: EU -> DE -> Stuttgart
|
Posted: Tue Jan 12, 2010 8:57 am Post subject: |
|
|
It will only work, if the domain name has one fixed static IP and it is not taking care of vhosts.
IPtables is resovling the domainnames at the moment you load the rules. If the IP of the domain name changes after the load, the firewall rules won't be aware of the new IP. There is no refreshing until the next reload of the rule!
You may want to look into Apache http_proxy. You can simply redirect the sites/vhosts, while using a different entry server.
Hope that helps! _________________ Antonino Catinello | http://catinello.eu |
|
Back to top |
|
|
selig Guru
Joined: 31 Jul 2005 Posts: 425 Location: Prague, Czech Republic
|
Posted: Tue Jan 12, 2010 6:58 pm Post subject: |
|
|
I see... thank you for the reply! I need this because of vhosts so I'd better look at the proxying in apache. |
|
Back to top |
|
|
Bircoph Developer
Joined: 27 Jun 2008 Posts: 261 Location: Moscow
|
Posted: Wed Jan 13, 2010 3:14 am Post subject: |
|
|
This also may be done via l7-filter. Of course header analysis will be more expensive than ordinary iptables rules. _________________ Per aspera ad astra! |
|
Back to top |
|
|
tftd n00b
Joined: 27 May 2010 Posts: 1
|
Posted: Thu May 27, 2010 4:28 pm Post subject: Re: iptables redirect domain |
|
|
selig wrote: | Hello, I would like to redirect specific domains from one server (IP) to another using iptables.
Will something like this work?
Code: |
iptables -t nat -A PREROUTING -d $DOMAIN_NAME -j DNAT --to-destination $SERVER2_IP
iptables -t nat -A POSTROUTING -j MASQUERADE
|
|
Hey
This will work:
Code: |
#!/bin/sh
internet='ppp0' # Or the interface on which you see the network
source="0.0.0.0/0.0.0.0" # this will redirect everybody to that port. If you want you may specify only one IP address or an IP range.
domain="redirect.mydomain.com" # the domain/subdomain that will be redirected
sourcePort="22" #the port which you'll redirect.
toDestination="192.168.0.2" #where to redirect to.
destinationPort="22" # on which port to redirect.
iptables -t mangle -P PREROUTING ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $internet --source 0.0.0.0/0.0.0.0 -d $domain --destination-port $serverPort -j DNAT --to-destination $toDestination:$destinationPort
|
I think that if you remove "--destination-port" and set "--to-destination" only to an IP address it might work. I haven tested it though.
At home I only need a couple of ports being redirected.
You might need to experiment a bit or even compile a new kernel to get that code working. That line is working on my server - slackware 12.2, iptables v1.4.2, Linux whitestar 2.6.32.8.
Hope this helps somebody |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21624
|
Posted: Fri May 28, 2010 1:55 am Post subject: Re: iptables redirect domain |
|
|
tftd wrote: | This will work:
Hope this helps somebody | Setting aside that you woke up a thread that was dormant for more than four months, your proposed solution does not work because the proposed problem cannot be solved purely in iptables. The commands you gave will execute successfully, but will not achieve the goal specified by the original poster. His request was to have two or more DNS A records that point to the same IP address and to have iptables treat the incoming connection differently depending upon which A record was used to find the server's address. This is impossible because TCP/IP does not provide a way for the client to specify what DNS A record (if any) it used to find the server. Higher level protocols, such as HTTP, allow clients to pass along this information, but iptables must make a decision long before the higher level protocol has sent that information. Thus, the vhost approach that he indicated he would pursue is necessary, since that decision can be deferred until the HTTP transaction has sent which hostname was used. |
|
Back to top |
|
|
|