I'd like to know if it's possible to forward ports depending on what domain name (actually, subdomain) is being consumed.

Here's an example list of facts:

• example.com is being hosted remotely in some server farm somewhere. That server is hosting a BIND DNS server, iptables firewall, and an Apache2 Web server. (therefore, www.example.com:80 would show their Web site, hosted on example.com).
• The client has router.example.com pointing to the IP address of the router at their physical location. router.example.com:80 shows the router's config page.
• router.example.com:8080 is pointing to port 80 on a local machine being serviced by the router, say 192.168.1.2:80. It has a hostname of "machinea.lan".
• router.example.com:8081 is pointing to port 80 on a local machine being serviced by the router, say 192.168.1.3:80. It has a hostname of "machineb.lan".
• The client would like machinea.example.com:80 to point to router.example.com:8080.
• The client would like machineb.example.com:80 to point to router.example.com:8081.
• In effect, this would cause machinea.example.com:80 to point to machinea.lan:80 and machineb.example.com:80 to point to machineb.lan:80.

Is something like this possible?

not sure i can really get my head around exactly what it is you want to achieve, a diagram would help an awful lot, but essentially you seem to just want a reverse proxy, something apache can very easily do. if you port forward external port 80 to an internal server runnign apache then requesting various url's with dns records pointing to that one ip can be redirected internally by the apache server to any relative url reachable from the lan. so you can tell apache to server localcomputer.example.com when someone asks for www.example.com/localcomputer even though localcomputer.example.com is only reachable on a local netwrok by the apache front end instance.

i think that the request to show router.example.com is clouding the situation a little, as the potentially could be globally reachable, but if you're just treating it as any other local box then that's fine. by fine i don't mean it's a *good* idea though... allowing literally global access to the configuration of your main router is a very veyr dumb thing to do!

It seems to me that this would only cover protocols that Apache already supports. Is there a way to do this by combining BIND and iptables? AFAIK, port-forwarding using iptables is only based on IP address, not domain name. Is there a way to get iptables to send a query to BIND (or whatever DNS is installed) when it encounters a domain name instead of IP address? Is there a firewall other than iptables that would accomplish this? I'd be willing to go a non-iptables route if it meant that I could get this working. Even if I could forward these ports based on domain name using a completely different solution, such as SSH, I'd go for it.

A short and simple description of what I need to be able to do:

I need subA.example.com:80 to forward to subC.example.com:8080 and subB.example.com:80 to forward to subC.example.com:8081, regardless of protocol.

ahh well your detailed exaples only covered http stuff, so that was where i went... the reason it's possible within apache is that http requests contain domain names in addition to using the domain name to resovle to an ip address. at an TCP/IP level there is no knowledge whatsoever of a domain name. it just doesn't exist, it's ip address to ip address. you *must* work at application level, and have an application protocol that supports this sort of thing, e.g. HTTP, FTP etc... other uses of domain names cease to exist once the ip packet is created on the cilent machine. it's just pure ip from then on.

Linux Distro's with specialized security related offerings are available. Try the home pages for:..."SmoothWall", "Gibralter", and "IPCop". There are more. Good luck.

please don't drag up old threads.