From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1MqZiL-0005LO-I9 for garchives@archives.gentoo.org; Wed, 23 Sep 2009 21:49:30 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E56CDE0964; Wed, 23 Sep 2009 21:49:27 +0000 (UTC) Received: from www01.badapple.net (www01.badapple.net [64.79.219.163]) by pigeon.gentoo.org (Postfix) with ESMTP id C5F46E0964 for ; Wed, 23 Sep 2009 21:49:27 +0000 (UTC) Received: from [10.73.152.78] (nat-dip6.cfw-a-gci.corp.yahoo.com [209.131.62.115]) (Authenticated sender: ramin@badapple.net) by www01.badapple.net (Postfix) with ESMTPSA id 4C9B74180AA for ; Wed, 23 Sep 2009 14:49:27 -0700 (PDT) Message-ID: <4ABA97E6.2070505@badapple.net> Date: Wed, 23 Sep 2009 14:49:26 -0700 From: kashani User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] OT: iptables w/ 2 web servers References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 01c41e0d-5c89-47c4-964d-2363505f73c6 X-Archives-Hash: bc9a2905eda6fc1e0074d43a83318a42 James wrote: > Hello, > > I have one static IP with DNS (primary and secondary) > performed by my isp. I'm setting up a second web server > with a different domain name. It is setup already by the ISP > for DNS. Could someone post > some simple iptable examples of how to route 2 different > web server traffic streams to 2 different machines? > > Both are inside the same DMZ....2 different machines > with different (NAT) IP addresses. > > Right now, all port 80 traffic is auto forwarded to > a single NAT address on the firewall. Simple. Now I have > to figure out how to forward different web traffic streams > to 2 different NAT ip addresses, each on a different ip > address and a different machine. > > I do not want to put the sites on the same machine, for a variety > of reasons, beside one machine moves in a few months to a > different physical location (and network numbers). > > Suggestions or a good book for example would be keen. > I use raw IPtables/netfilter on the firewall. All servers > are gentoo. I'm not sure it's possible via firewall rules because they are operating at the IP level and you'd really need to be doing deep looks into the packets to read the http request headers in order to figure out which server should be getting the connection. The simplest solution is to run a reverse proxy on your firewall that actually accepts the http connection, reads the http request, and then forwards it on to the correct web server. You can do this in apache via proxypass, Squid which is your most powerful and flexible option, ngnix, lighttpd, or Varnish. There are some security concerns with this type of setup, ie running daemons open to the public on your firewall, reverse proxies need to be locked down, hard to do IP based restrictions on the webserver, etc. kashani