On Tue, 16 Sep 2003, Master_PE wrote: > Is it posebole with iptables to filter on a DNS name not a ip > address? What i have is an x hosts / domain names and 1 ipadres. > > Lets take an example. > > Host IP address > Host.example1.com 192.168.1.2 > Host.example2.com 192.168.1.2 > > And what i want to do is a packet that is for DNS name > Host.example1.com is to go to rule 1 and Host.example2.com is to > go to rule 2.
If this is for Apache, you can simply use the httpd.conf VirtualHost configuration parameter. Otherwise, I'm not sure what you mean -- a packet that is heading for example1 or example2 will have the same destination IP address, so either way it will arrive at your computer's NIC. The firewall rules for that NIC has no way of knowing whether the initial connection was based on connecting to example1 or example2, only that the packet arrived at 192.168.1.2 (in your example above). In other words, there isn't a way to redirect traffic based on the /original/ DNS name of the request, but since that DNS information is duplicated in an HTTP request (in the Host: header), Apache can use that information to make decisions. Now, you may be able to work around some of this using iptables' string matching capabilities (/if/ you're worried about redirecting HTTP traffic that has the Host: header to match on, /and/ that Host header is reliably there --or-- you're focusing on some other protocol that also duplicates the DNS name in the packets). Hope this helps, -jeff -- Do you realize how many holes there could be if people would just take the time to take the dirt out of them?
