[plug] name-based port forwarding with iptables

Leon Brooks leon at brooks.fdns.net
Wed Feb 5 22:25:45 WST 2003 

On Wednesday 05 February 2003 08:52 pm, John wrote:
> I'm running woody on a 2.4 kernel with iptables setup, and what i want
> to do is port forward based on the NAME of the server that's being
> requested.

> if a packet comes in that's trying to go to abc.org, I want that packet
> to go to one machine on the network.  If a packet comes in that's
> looking for xyz.org, I want it routed to another machine.

Packets don't know *who* they're headed for, they only have a to and a from 
address and a brace of port numbers (if they're UDP or TCP).

You can do name-based hosting at the next major level up, in protocols like 
HTTP (NameVirtualHost in Apache) or SMTP (Virtual Domains in PostFix, 
SendMail, Exim etc), and that for a very limited number of protocols.

However, if you were feeling reckless, you might want to write a plugin for 
iptables that has a look at the calling IP, and correlates that as best it 
can with DNS activity. But that has its pitfalls too.

Let me illustrate; suppose a user (dialled on at 172.17.69.96) visits your 
website. Their browser resolves your name, by asking the ISP's nameserver (at 
172.16.42.1) to do it, so your DNS sees a request from 172.16.42.1. Then the 
browser makes a HTTP request, which is intercepted by the ISP's transproxy 
and re-made from there (172.16.42.7). You see an incoming connection from 
172.16.42.7 immediately after the DNS request from 172.16.42.1, and might 
make reasonable inferences about which website that was aimed at.

Now the user links to an SSL page, which the ISP does not attempt to proxy. 
You have a connection arrive from 172.17.69.96; is it reasonable to infer, 
seeing as it's from a different Class B, that this was the same caller as 
last time? There will be no second DNS hit, since the ISP's DNS will reply to 
the second request from its cache.

Now a second user dials on to the same ISP, and hits a different website at 
your IP. The first user has their modem drop out, re-dials, gets a different 
IP, and re-makes their SSL request. No DNS clues here. Do you serve the 
most-recent domain to both callers?

IRL, HTTP allows you to differentiate at the gateway, and have Apache forward 
the request inside if need be. SSL likewise, as long as you're happy to have 
all sites share the one certificate.

For many other protocols, it's far easier to ask the ISP to route you a small 
subnet, or (pre-empting Trent), apply for an IPv6 subnet, which will give you 
personally more addresses than the entire current Internet to play with, but 
a smaller audience.

Cheers: Leon

More information about the plug mailing list