4

I've got a question concerning iptable prerouting. I'm not that familiar with networking/routing/iptables so I hope this is not a stupid question, at all. So I ask for your understanding and indulgence.

What I do is: I use LXC to separate apps in containers. For accessing a service (maybe apache2) in a container, I have to do prerouting like this:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20080 -j DNAT --to <container-ip>:80

So far so good, works as it should.

Imagine the host system also runs an apache2 (Port 80). It got 1 NIC and 2 DNS-Names assigned: DNS1 (HostRecord) and DNS2 (Alias to DNS1) What I want to do is to PREROUTE not using the dport but by using the DNS-Name, so that:

http://DNS1:80 #ends up at the host apache2
http://DNS2:80 #ends up at lxc-container's apache2 (at the the same host)

Is it possible and if yes, how to configure iptables?

ITL
  • 231
  • 3
  • 10

1 Answers1

3

TCP/IP packets are routed to ip-addresses and network ports, not to hostnames.

Therefore the iptables packetfilter works on ip-addresses, network ports and protocols as well and not on DNS/hostnames.

Your options are:

  1. configure bridging so your container get a public ip-address rather than a private range restricted to the host and set up DNS accordingly.
  2. use apache reverse proxy functionality (or similar) which does work at the DNS hostname level and route your HTTP requests at the application level:

for example:

 NameVirtualHost *:80
 <VirtualHost *:80>
   # The DNS1 site is hosted locally
   ServerName DNS1
   DocumentRoot /var/www./...
 </VirtualHost>

 <VirtualHost *:80>
   ServerName DNS2
   # Forward all requests to container:
   Proxypass / http://<container-ip>
   ProxypassReverse / http://<container-ip>
 </VirtualHost>
HBruijn
  • 77,029
  • 24
  • 135
  • 201