[PLUG] servicing a domain from behind a firewall

Paul Heinlein heinlein at attbi.com
Tue Jul 30 15:10:11 UTC 2002


On Tue, 30 Jul 2002, Josh Orchard wrote:

> That sounds good but won't all traffic then to the 123.45.67.89 ip
> then get forwarded to the internal machine?  I have two domains and
> would like one resolved on 123.45.67.89 and the other sent to
> 10.0.0.13.
>
> That is:
> 
> domain1.com is seen from the world to go to 123.45.67.89 and that
> linux box will handle all the request for any services.  This
> machine is also the firewall and does NAT for the internal network.
>
> domain2.com is also been seen to the world as being 123.45.67.89 but
> any request to this domain should be forwarded to 10.0.0.13.
>
> Is that still possible with iptables?

No.

In fact, it's pretty much impossible with any IP traffic except for
web stuff. HTTP 1.1 specifies that a hostname is to be passed to the
server (making name-based virtual servers possible) in the http
headers, but otherwise TCP/UDP traffic show up at a given IP address
without any care for the name that got them there.

For example, if 123.45.67.89, host.example.com, and cname.example.com 
all point to the same box, then the packets from these commands will 
all look identical when they reach the server:

  ftp 123.45.67.89
  ftp host.example.com
  ftp cname.example.com

AFAIK, there's absolutely no way to distinguish between them.

Unless I'm missing something, the only way to accomplish your goal is 
to get another real-world IP address and point your second domain name 
at it.

--Paul Heinlein <heinlein at attbi.com>





More information about the PLUG mailing list