Re: [gentoo-user] OT: iptables w/ 2 web servers

[kashani <kashani-list@badapple.net>]

James wrote:
> Hello,
> 
> I have one static  IP with DNS (primary and secondary)
> performed by my isp. I'm setting up a second web server
> with a different domain name. It is setup already by the ISP
> for DNS. Could someone post
> some simple iptable examples of how to route 2 different
> web server traffic streams to 2 different machines?
> 
> Both are inside the same DMZ....2 different machines
> with different (NAT) IP addresses.
> 
> Right now, all port 80 traffic is auto forwarded to
> a single NAT address on the firewall. Simple. Now I have 
> to figure out how to  forward different web traffic streams 
> to 2 different NAT ip addresses, each on a different ip 
> address and a different machine.
> 
> I do not want to put the sites on the same machine, for a variety
> of reasons, beside one machine moves in a few months to a 
> different physical location (and network numbers).
>  
> Suggestions or a good book for example would be keen.
> I use raw IPtables/netfilter on the firewall. All servers
> are gentoo.

	I'm not sure it's possible via firewall rules because they are 
operating at the IP level and you'd really need to be doing deep looks 
into the packets to read the http request headers in order to figure out 
which server should be getting the connection.
	The simplest solution is to run a reverse proxy on your firewall that 
actually accepts the http connection, reads the http request, and then 
forwards it on to the correct web server. You can do this in apache via 
proxypass, Squid which is your most powerful and flexible option, ngnix, 
lighttpd, or Varnish.
	There are some security concerns with this type of setup, ie running 
daemons open to the public on your firewall, reverse proxies need to be 
locked down, hard to do IP based restrictions on the webserver, etc.

kashani