Re: Matching packets by HTTP header "Host"

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Hello,

Giovanni Lovato a écrit :
> I'm trying to forward packets to different hosts depending on the "Host"
> header in HTTP packets, e.g. packets on port 80 requesting "Host:
> one.example.org" to 192.168.0.1 and all other on port 80 to 192.128.0.2.
> I did:
>
> iptables -t nat -A PREROUTING -p TCP -i eth0 -m string --algo bm
> - --string "Host: one.example.org" --destination-port 80 -j DNAT
> - --to-destination 192.168.0.1
>
> iptables -t nat -A PREROUTING -p TCP -i eth0 --destination-port 80 -j
> DNAT --to-destination 192.168.0.2
>
> But all packets are going to 192.168.0.2. Do I miss something?
Rules in the 'nat' table apply only to the first packet of a new 
connection. NAT operations for the whole connection is determined by the 
NAT rules applied to the first (SYN) packet of the connection, which 
does not contain any HTTP payload data such as the "Host" header. So the 
first rule never matches a packet. As suggested, use a HTTP proxy instead.