[Vserver] Iptables NAT & vservers
Hello, I tried to setup a subnetwork using several vservers. - host system is connected to internet - several guest in a different subnetwork on it. - the host has the normal eth0 interface and a "virtual" tap0 one. - host can see and connect both network. Now the "problem" is : - from outside I have several subdomain test.example.com, test2.example.com pointing on the guest ip. and base on the name I would like to redirect de incoming connection too the corresponding guest. iptables is suppose to handle the -d (host is 10.0.0.160) -A PREROUTING -p tcp -m tcp -d test.example.com -j DNAT --to-destination 10.0.1.2 ... what's wrong with my approach, I didn't succeed to make it work. Any Idea ? Marc -- Programmers.ch Solutions libres et Opensources Tel: ++41 76 44 888 72 Site: http://www.programmers.ch Site: http://openprojects.ch ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT & vservers
Hi, > iptables is suppose to handle the -d > > (host is 10.0.0.160) > > -A PREROUTING -p tcp -m tcp -d test.example.com -j DNAT --to-destination > 10.0.1.2 > > ... what's wrong with my approach, I didn't succeed to make it work. iptables does only support IP based routing. I guess, the -d switch is only provided for convenience but will simply resolve the hostname to the appropriate IP. I don't think domainname based routing is available at all... Cheers, Sebastian -- Sebastian "tokkee" Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT & vservers
.. it would explain why I didn't succeed ;-) Do you think there is a other way to redirect all incoming connection to a particular machine base on the "connection name" but not on the port number ex: ssh mymachine.example.com Sebastian Harl a écrit : Hi, iptables is suppose to handle the -d (host is 10.0.0.160) -A PREROUTING -p tcp -m tcp -d test.example.com -j DNAT --to-destination 10.0.1.2 ... what's wrong with my approach, I didn't succeed to make it work. iptables does only support IP based routing. I guess, the -d switch is only provided for convenience but will simply resolve the hostname to the appropriate IP. I don't think domainname based routing is available at all... Cheers, Sebastian ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Programmers.ch Solutions libres et Opensources Tel: ++41 76 44 888 72 Site: http://www.programmers.ch Site: http://openprojects.ch ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT & vservers
> .. it would explain why I didn't succeed ;-) Indeed ;-) > Do you think there is a other way to redirect all incoming connection to > a particular machine base on the "connection name" but not on the port > number ex: > ssh mymachine.example.com No, I don't think so... TCP/IP does not carry any hostname information, so routing would have to be done in the application layer protocol. HTTP, for example, carries the hostname with it - that's why domain based hosting is available (and possible ;-) e.g. in Apache. The "connection name" that you were refering to is the IP address... Cheers, Sebastian -- Sebastian "tokkee" Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT & vservers
Well for web, radius you could use Squid as a reversed proxy. For SSH you can setup different ports on the different ip's. Or in some nasy way you could use snort to match for your hostname and dynamicly make the forward, and remove it when its gone. But thats just utter nonesense.. nonetheless possible J- On 3/13/06, Sebastian Harl <[EMAIL PROTECTED]> wrote: > > .. it would explain why I didn't succeed ;-) > > Indeed ;-) > > > Do you think there is a other way to redirect all incoming connection to > > a particular machine base on the "connection name" but not on the port > > number ex: > > ssh mymachine.example.com > > No, I don't think so... TCP/IP does not carry any hostname information, so > routing would have to be done in the application layer protocol. HTTP, for > example, carries the hostname with it - that's why domain based hosting is > available (and possible ;-) e.g. in Apache. > > The "connection name" that you were refering to is the IP address... > > Cheers, > Sebastian > -- > Sebastian "tokkee" Harl > GnuPG-ID: 0x8501C7FC > http://tokkee.org/ > > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFEFaGpEFEKc4UBx/wRArUaAJ9qWM6/ZoxUO/NTeR1n0RG0msB5YgCeJMMS > O0QxWlQjbue01b61VnFTDPU= > =Kmhm > -END PGP SIGNATURE- > > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver > > > ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT & vservers
thanks all for the answers, I'll go on with a "per services" dispatch. ...and yes I think apache provides such mechanism, but I wanted to do it cleanly ;-) Joep Gommers wrote: Well for web, radius you could use Squid as a reversed proxy. For SSH you can setup different ports on the different ip's. Or in some nasy way you could use snort to match for your hostname and dynamicly make the forward, and remove it when its gone. But thats just utter nonesense.. nonetheless possible J- On 3/13/06, Sebastian Harl <[EMAIL PROTECTED]> wrote: .. it would explain why I didn't succeed ;-) Indeed ;-) Do you think there is a other way to redirect all incoming connection to a particular machine base on the "connection name" but not on the port number ex: ssh mymachine.example.com No, I don't think so... TCP/IP does not carry any hostname information, so routing would have to be done in the application layer protocol. HTTP, for example, carries the hostname with it - that's why domain based hosting is available (and possible ;-) e.g. in Apache. The "connection name" that you were refering to is the IP address... Cheers, Sebastian -- Sebastian "tokkee" Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEFaGpEFEKc4UBx/wRArUaAJ9qWM6/ZoxUO/NTeR1n0RG0msB5YgCeJMMS O0QxWlQjbue01b61VnFTDPU= =Kmhm -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Programmers.ch Solutions libres et Opensources Tel: ++41 76 44 888 72 Site: http://www.programmers.ch Site: http://openprojects.ch ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
