Re: [gentoo-user] OT: iptables w/ 2 web servers
On 23 Sep 2009, at 22:35, James wrote: ... I have one static IP ... Could someone post some simple iptable examples of how to route 2 different web server traffic streams to 2 different machines? Both are inside the same DMZ2 different machines with different (NAT) IP addresses. Can't be done. Inherently, a client requesting a webpage looks up the IP address for bigbreastedmommas.com, finds its 24.73.161.102 (or whatever) and send an http request to port 80 of that IP. There is no way for IPtables to distinguish between an http request to bigbreastedmommas.com at 24.73.161.102 and an http request to bouncyboobs.com at 24.73.161.102, assuming both are on port 80. I would LOVE to be proved wrong on this, because it would be immensely useful for NATted geeks. However an iptables module to do this certainly did not exist in the past, and I'm guessing there are protocol-specific reasons why it can't be done. What you can do is forward port 80 to one machine and have that proxy to the other when necessary. Or have it redirect to the other, which listens on port 81. Stroller.
Re: [gentoo-user] OT: iptables w/ 2 web servers
James wrote: Hello, I have one static IP with DNS (primary and secondary) performed by my isp. I'm setting up a second web server with a different domain name. It is setup already by the ISP for DNS. Could someone post some simple iptable examples of how to route 2 different web server traffic streams to 2 different machines? Both are inside the same DMZ2 different machines with different (NAT) IP addresses. Right now, all port 80 traffic is auto forwarded to a single NAT address on the firewall. Simple. Now I have to figure out how to forward different web traffic streams to 2 different NAT ip addresses, each on a different ip address and a different machine. I do not want to put the sites on the same machine, for a variety of reasons, beside one machine moves in a few months to a different physical location (and network numbers). Suggestions or a good book for example would be keen. I use raw IPtables/netfilter on the firewall. All servers are gentoo. I'm not sure it's possible via firewall rules because they are operating at the IP level and you'd really need to be doing deep looks into the packets to read the http request headers in order to figure out which server should be getting the connection. The simplest solution is to run a reverse proxy on your firewall that actually accepts the http connection, reads the http request, and then forwards it on to the correct web server. You can do this in apache via proxypass, Squid which is your most powerful and flexible option, ngnix, lighttpd, or Varnish. There are some security concerns with this type of setup, ie running daemons open to the public on your firewall, reverse proxies need to be locked down, hard to do IP based restrictions on the webserver, etc. kashani
[gentoo-user] OT: iptables w/ 2 web servers
Hello, I have one static IP with DNS (primary and secondary) performed by my isp. I'm setting up a second web server with a different domain name. It is setup already by the ISP for DNS. Could someone post some simple iptable examples of how to route 2 different web server traffic streams to 2 different machines? Both are inside the same DMZ2 different machines with different (NAT) IP addresses. Right now, all port 80 traffic is auto forwarded to a single NAT address on the firewall. Simple. Now I have to figure out how to forward different web traffic streams to 2 different NAT ip addresses, each on a different ip address and a different machine. I do not want to put the sites on the same machine, for a variety of reasons, beside one machine moves in a few months to a different physical location (and network numbers). Suggestions or a good book for example would be keen. I use raw IPtables/netfilter on the firewall. All servers are gentoo. James