netfilter/firewall and www vhosting

Sneppe Filip Filip.Sneppe@cronos.be
Tue, 10 Jul 2001 18:14:41 +0200 

Jamie Pratt (niteowl_guy@yahoo.com) wrote:
>
>I realize this is a bit off-topic, but I can't seem to find any info out
>about this anyplace else - I'm designing a firewall for my network , and
>have been trying to figure out how to get about 10 www name-based vhosts
>working from behind the firewall using DNAT. (Yes, stop laughing!)
>

It depends on your situation whether netfilter alone can solve your problem.
How are the 10 www names known to the rest of the world as far as DNS name
resolution is concerned ?

If they all resolve to one internet IP address, and one internal box hosts
the 10 sites, you should be able to host everything with just one DNAT rule
and one filter rule, like this:

iptables -t nat -A PREROUTING -p tcp -d w.x.y.z --dport 80 -j DNAT --to
10.a.b.c
iptables -A FORWARD -p tcp -d 10.a.b.c --dport 80 -j ACCEPT

The host headers in the HTTP packets will enable the webserver to
distinguish between the various hosted www sites.

If your 10 www names all resolve to different internet IP addresses, you
will need more than one DNAT rule, but it will be possible to use only
netfilter to solve your problem. It is even possible that different www
sites (different internet IP addresses) are hosted on one internal box.

Now it gets trickier when www sites with the same external IP address are
hosted by more than one internal server. Netfilter does not operate at the
application layer, hence it cannot look at the HTTP headers in the request
to determine the internal server to send the request to.

You will have to use a (reverse) proxy to solve this problem. I know from
experience that Squid allows you to do this, and it should also be fairly
easy to achieve this with Apache.

I'd be happy to know if there are other (performant) free/open source
solutions ?

You will have to decide wether you will use this reverse proxy on your
firewall, or whether you will use another box.

> Am I dreaming here, and is my only option to just put the vhosts on the
>firewall box itself?  (wanted to avoid this if possible, but i have no
>dns
>behind the firewall so I just dont see how I can do this considering
>name-based vhosting is essentially broken with no dns?)
>
>Any ideas, flames, comments ?
>
If I understand the problem you are describing, I hope this mail will have
helped.

-Filip