LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 07-04-2005, 09:05 PM   #1
lucktsm
Member
 
Registered: May 2004
Location: Atlanta, GA USA
Distribution: Redhat ES4, FC4, FC5, slax, ubuntu, knoppix
Posts: 155

Rep: Reputation: 30
Iptables question: Will this work?


Hi all,

I have a question and I have tried doing some research already, but I am stuck.

I have 2 webservers that host seperate domains. I want to use the primary webserver's iptables to forward to the secondary web server if the destination is the secondary domain.

Is this possible? Can Iptables do this?

Thanks,
Luck
 
Old 07-05-2005, 12:36 AM   #2
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
What's your network setup ? Is the primary web server directly connected to the internet (as a gateway) or do you have other devices doing gateway/routing ?
 
Old 07-05-2005, 12:45 AM   #3
lucktsm
Member
 
Registered: May 2004
Location: Atlanta, GA USA
Distribution: Redhat ES4, FC4, FC5, slax, ubuntu, knoppix
Posts: 155

Original Poster
Rep: Reputation: 30
Both machines are behind a firewall and are in a DMZ. The firewall forwards all port 80 requests to the primary. The primary is running a iptables to block my blacklist.

I am hoping I can make the primary forward secondary domain requests to the secondary machine...
 
Old 07-05-2005, 12:59 AM   #4
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
How much work do you want to put into this ?

I ask becasue with iptables itself it'll be nearly impossible to do, AFAIK, because iptables won't be able to decompose the packet and determine which host name it's for; iptables only knows about IP (and MAC) addresses to identify hosts. So when you get hit on port 80 iptables will only know that there is an incoming connection from some host on the internet for that computer, not what the original URL string was.

What you could consider doing is set up SQUID or some other software to proxy the incoming connection for you; that way you could get it to redirect the connection to the appropriate server.

The best way to go about it, though, would be to make the routing decision at the router itself. Having each connection go the the PWS and then have IT forward to the SWS is inefficient.

Now, a possible workaround: why is the other site on a different server? Is it feasible in your setup to have the files mounted from the secondary server to the primary via NFS and then just change the httpd.conf to add a virtual host ?
 
Old 07-05-2005, 04:18 AM   #5
Nathanael
Member
 
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940

Rep: Reputation: 32
you could run both websites on one server and let apache do the the decision bit of this job... pointing the websites doc-root to /var/www/website1 and /var/www/website2
 
Old 07-05-2005, 09:38 AM   #6
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
Yeah that's definitely the better way of doign it but there may be a (good) reason they're split across two machines.
 
Old 07-05-2005, 11:01 AM   #7
Nathanael
Member
 
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940

Rep: Reputation: 32
it might be the only way of doing it!
have a look at this scenario:
your adsl modem's ip: 10.0.3.3
your dns records:
blah.example.com -> 10.0.3.3
foo.example.com -> 10.0.3.3

iptables will only be able to filter according to ip's, it will not look where somebody might want to connect to, and is not able to, since this info is in the header data a browser sends to the your server.
iptables will only do following:
incomming (packet - these things are pretty tiny) from x.x.x.x to 10.0.3.3 source port: 35682 desp port:80
what should i do with traffic to 10.0.3.3:80 - i send it to this server here - regardless...

and if you really have to have your data on different servers... smbmount, and that sounds really messy for a webserver setup.
 
Old 07-06-2005, 03:22 PM   #8
lucktsm
Member
 
Registered: May 2004
Location: Atlanta, GA USA
Distribution: Redhat ES4, FC4, FC5, slax, ubuntu, knoppix
Posts: 155

Original Poster
Rep: Reputation: 30
Thanks for the input folks I really appreciate it.

My thinking about using seperate machines is that one of them is more secure than the other. Simply by the content of the sites and the fact that one will be more open to the world while one is pretty tight.

I have decided to make a router change and do the domain processing at the router. It is the most efficient way.

Thanks again!

Luck
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables command won't work no_names_left Linux - Networking 9 04-23-2005 07:53 PM
iptables doesn't work with me Agent007 Linux - Networking 4 01-23-2004 07:14 AM
Get H323 to work with Iptables pembo13 Linux - Networking 1 09-24-2003 05:45 PM
IPTABLES doesn't work!!! help... saruman666 Linux - Networking 11 08-16-2003 04:15 PM
IPTables doesn't seem to work X11 Linux - Software 7 07-08-2002 12:39 AM


All times are GMT -5. The time now is 12:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration