[PLUG] servicing a domain from behind a firewall
Paul Heinlein
heinlein at attbi.com
Tue Jul 30 15:10:11 UTC 2002
On Tue, 30 Jul 2002, Josh Orchard wrote:
> That sounds good but won't all traffic then to the 123.45.67.89 ip
> then get forwarded to the internal machine? I have two domains and
> would like one resolved on 123.45.67.89 and the other sent to
> 10.0.0.13.
>
> That is:
>
> domain1.com is seen from the world to go to 123.45.67.89 and that
> linux box will handle all the request for any services. This
> machine is also the firewall and does NAT for the internal network.
>
> domain2.com is also been seen to the world as being 123.45.67.89 but
> any request to this domain should be forwarded to 10.0.0.13.
>
> Is that still possible with iptables?
No.
In fact, it's pretty much impossible with any IP traffic except for
web stuff. HTTP 1.1 specifies that a hostname is to be passed to the
server (making name-based virtual servers possible) in the http
headers, but otherwise TCP/UDP traffic show up at a given IP address
without any care for the name that got them there.
For example, if 123.45.67.89, host.example.com, and cname.example.com
all point to the same box, then the packets from these commands will
all look identical when they reach the server:
ftp 123.45.67.89
ftp host.example.com
ftp cname.example.com
AFAIK, there's absolutely no way to distinguish between them.
Unless I'm missing something, the only way to accomplish your goal is
to get another real-world IP address and point your second domain name
at it.
--Paul Heinlein <heinlein at attbi.com>
More information about the PLUG
mailing list