Iptables question: Will this work?

lucktsm · 07-04-2005, 09:05 PM

Hi all,

I have a question and I have tried doing some research already, but I am stuck.

I have 2 webservers that host seperate domains. I want to use the primary webserver's iptables to forward to the secondary web server if the destination is the secondary domain.

Is this possible? Can Iptables do this?

Thanks,
Luck

michaelsanford · 07-05-2005, 12:36 AM

What's your network setup ? Is the primary web server directly connected to the internet (as a gateway) or do you have other devices doing gateway/routing ?

lucktsm · 07-05-2005, 12:45 AM

Both machines are behind a firewall and are in a DMZ. The firewall forwards all port 80 requests to the primary. The primary is running a iptables to block my blacklist.

I am hoping I can make the primary forward secondary domain requests to the secondary machine...

michaelsanford · 07-05-2005, 12:59 AM

How much work do you want to put into this ?

I ask becasue with iptables itself it'll be nearly impossible to do, AFAIK, because iptables won't be able to decompose the packet and determine which host name it's for; iptables only knows about IP (and MAC) addresses to identify hosts. So when you get hit on port 80 iptables will only know that there is an incoming connection from some host on the internet for that computer, not what the original URL string was.

What you could consider doing is set up SQUID or some other software to proxy the incoming connection for you; that way you could get it to redirect the connection to the appropriate server.

The best way to go about it, though, would be to make the routing decision at the router itself. Having each connection go the the PWS and then have IT forward to the SWS is inefficient.

Now, a possible workaround: why is the other site on a different server? Is it feasible in your setup to have the files mounted from the secondary server to the primary via NFS and then just change the httpd.conf to add a virtual host ?

Nathanael · 07-05-2005, 04:18 AM

you could run both websites on one server and let apache do the the decision bit of this job... pointing the websites doc-root to /var/www/website1 and /var/www/website2

michaelsanford · 07-05-2005, 09:38 AM

Yeah that's definitely the better way of doign it but there may be a (good) reason they're split across two machines.

Nathanael · 07-05-2005, 11:01 AM

it might be the only way of doing it!
have a look at this scenario:
your adsl modem's ip: 10.0.3.3
your dns records:
blah.example.com -> 10.0.3.3
foo.example.com -> 10.0.3.3

iptables will only be able to filter according to ip's, it will not look where somebody might want to connect to, and is not able to, since this info is in the header data a browser sends to the your server.
iptables will only do following:
incomming (packet - these things are pretty tiny) from x.x.x.x to 10.0.3.3 source port: 35682 desp port:80
what should i do with traffic to 10.0.3.3:80 - i send it to this server here - regardless...

and if you really have to have your data on different servers... smbmount, and that sounds really messy for a webserver setup.

lucktsm · 07-06-2005, 03:22 PM

Thanks for the input folks I really appreciate it.

My thinking about using seperate machines is that one of them is more secure than the other. Simply by the content of the sites and the fact that one will be more open to the world while one is pretty tight.

I have decided to make a router change and do the domain processing at the router. It is the most efficient way.

Thanks again!

Luck