Use Domain in iptables PREROUTING

Question

I have a www.example.com with X.X.Y.Y ip i want to forward traffic from port 80 to the domain(www.example.com), I used the following iptable:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination X.X.Y.Y:80

but i dont get good result because X.X.Y.Y content is not equal to the domain(www.example.com)
For ex: if you go to 198.252.206.16(the ip of serverfault) with your browser you will see that result and content of the address(ip address) is not equl www.serverfault.com.
I want to use domain in the above iptables rule, for ex:--to-destination www.example.com(its just an example and i know its not working), how can i do this?
Is there any alternative way to do that without using iptables?
Thank you

This doesn't make a lot of sense. What are you really attempting to do? — Michael Hampton, Sep 03 '13 at 08:54
I want to send all the traffic from my server to another(that it's for mine) — Carig, Sep 03 '13 at 08:56
You already said that. But you are missing a lot of detail. Please describe your entire setup from beginning to end. — Michael Hampton, Sep 03 '13 at 08:57
"--to-destination www.example.com (its just an example and i know its not working)" it's working, but if www.example.com has multiple A records or dynamic ip address it would work "strange". iptables will resolve ip address of www.example.com during startup and will use these ip address until restart. — ALex_hha, Sep 03 '13 at 09:07

score 2 · Accepted Answer · answered Sep 03 '13 at 09:24

2

I think what you need is an HTTP proxy to do the rewriting of the request headers. IPTables doesn't parse the HTTP header and replace the domains in them.

You should look at something like Nginx, or Squid for doing that, just something that understands and rewrites the HTTP request headers into the domain that you want.

IPTables does not know any higher protocols than TCP or UDP.

answered Sep 03 '13 at 09:24

replay

3,180
13
16

very nice answer, so i have an alternative and i can use Http proxy like Squid proxy instead of iptables, that's right? – Carig Sep 03 '13 at 09:27
Yes. For rewriting the content of the HTTP headers you will have to use a proxy that is able to parse HTTP. IPTables cannot do that – replay Sep 03 '13 at 09:28

score 2 · Answer 2 · answered Sep 03 '13 at 09:36

2

You cannot do it with iptables even if you use the -d option as the domain names are loaded during iptables startup. The right way to do what you want to do is to use a proxy server like Squid.

answered Sep 03 '13 at 09:36

deppfx

429
3
13

score 0 · Answer 3 · answered May 12 '17 at 19:29

on your webserver do something like this:

 NameVirtualHost *:80
 <VirtualHost *:80>
   # The DNS1 site is hosted locally
   ServerName DNS1
   DocumentRoot /var/www./...
 </VirtualHost>

 <VirtualHost *:80>
   ServerName DNS2
   # Forward all requests to container:
   Proxypass / http://<container-ip>
   ProxypassReverse / http://<container-ip>
 </VirtualHost>

Use Domain in iptables PREROUTING

3 Answers3