Iptables prerouting based on destination's DNS name?

domain-name-system iptables nat lxc

7,262

TCP/IP packets are routed to ip-addresses and network ports, not to hostnames.

Therefore the iptables packetfilter works on ip-addresses, network ports and protocols as well and not on DNS/hostnames.

Your options are:

configure bridging so your container get a public ip-address rather than a private range restricted to the host and set up DNS accordingly.
use apache reverse proxy functionality (or similar) which does work at the DNS hostname level and route your HTTP requests at the application level:

for example:

 NameVirtualHost *:80
 <VirtualHost *:80>
   # The DNS1 site is hosted locally
   ServerName DNS1
   DocumentRoot /var/www./...
 </VirtualHost>

 <VirtualHost *:80>
   ServerName DNS2
   # Forward all requests to container:
   Proxypass / http://<container-ip>
   ProxypassReverse / http://<container-ip>
 </VirtualHost>

7,262

ITL

Updated on September 18, 2022

Comments

ITL almost 2 years
I've got a question concerning iptable prerouting. I'm not that familiar with networking/routing/iptables so I hope this is not a stupid question, at all. So I ask for your understanding and indulgence.

What I do is: I use LXC to separate apps in containers. For accessing a service (maybe apache2) in a container, I have to do prerouting like this:
```
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20080 -j DNAT --to <container-ip>:80
```
So far so good, works as it should.

Imagine the host system also runs an apache2 (Port 80). It got 1 NIC and 2 DNS-Names assigned: DNS1 (HostRecord) and DNS2 (Alias to DNS1) What I want to do is to PREROUTE not using the dport but by using the DNS-Name, so that:
```
http://DNS1:80 #ends up at the host apache2
http://DNS2:80 #ends up at lxc-container's apache2 (at the the same host)
```
Is it possible and if yes, how to configure iptables?
ITL about 10 years

Now I've got the affirmation of what I have assumed. Thank you.