[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables vhost

On Tue, 16 Sep 2003, Master_PE wrote:

> Is it posebole with iptables to filter on a DNS name not a ip
> address? What i have is an x hosts / domain names and 1 ipadres.
> Lets take an example.
> Host              IP address
> Host.example1.com
> Host.example2.com
> And what i want to do is a packet that is for DNS name
> Host.example1.com is to go to rule 1 and Host.example2.com is to
> go to rule 2.

If this is for Apache, you can simply use the httpd.conf
VirtualHost configuration parameter. Otherwise, I'm not sure what
you mean -- a packet that is heading for example1 or example2 will
have the same destination IP address, so either way it will arrive
at your computer's NIC. The firewall rules for that NIC has no way
of knowing whether the initial connection was based on connecting
to example1 or example2, only that the packet arrived at (in your example above).

In other words, there isn't a way to redirect traffic based on the
/original/ DNS name of the request, but since that DNS information
is duplicated in an HTTP request (in the Host: header), Apache can
use that information to make decisions.

Now, you may be able to work around some of this using iptables'
string matching capabilities (/if/ you're worried about
redirecting HTTP traffic that has the Host: header to match on,
/and/ that Host header is reliably there --or-- you're focusing
on some other protocol that also duplicates the DNS name in the

Hope this helps,
Do you realize how many holes there could be
if people would just take the time to take the dirt out of them?

Reply to: