# iptables redirect domain

## selig

Hello, I would like to redirect specific domains from one server (IP) to another using iptables.

Will something like this work?

```

iptables -t nat -A PREROUTING -d $DOMAIN_NAME -j DNAT --to-destination $SERVER2_IP

iptables -t nat -A POSTROUTING -j MASQUERADE

```

----------

## anello

It will only work, if the domain name has one fixed static IP and it is not taking care of vhosts.

IPtables is resovling the domainnames at the moment you load the rules. If the IP of the domain name changes after the load, the firewall rules won't be aware of the new IP. There is no refreshing until the next reload of the rule!

You may want to look into Apache http_proxy. You can simply redirect the sites/vhosts, while using a different entry server.

Hope that helps!

----------

## selig

I see... thank you for the reply! I need this because of vhosts so I'd better look at the proxying in apache.

----------

## Bircoph

This also may be done via l7-filter. Of course header analysis will be more expensive than ordinary iptables rules.

----------

## tftd

 *selig wrote:*   

> Hello, I would like to redirect specific domains from one server (IP) to another using iptables.
> 
> Will something like this work?
> 
> ```
> ...

 

Hey  :Smile: 

This will work:

```

#!/bin/sh

internet='ppp0' # Or the interface on which you see the network

source="0.0.0.0/0.0.0.0" # this will redirect everybody to that port. If you want you may specify only one IP address or an IP range.

domain="redirect.mydomain.com" # the domain/subdomain that will be redirected

sourcePort="22" #the port which you'll redirect.

toDestination="192.168.0.2" #where to redirect to.

destinationPort="22" # on which port to redirect.

iptables -t mangle -P PREROUTING ACCEPT

$IPTABLES -t nat -A PREROUTING -p tcp -i $internet --source 0.0.0.0/0.0.0.0 -d $domain --destination-port $serverPort -j DNAT --to-destination $toDestination:$destinationPort

```

I think that if you remove "--destination-port" and set "--to-destination" only to an IP address it might work. I haven tested it though. 

At home I only need a couple of ports being redirected.

You might need to experiment a bit or even compile a new kernel to get that code working. That line is working on my server - slackware 12.2, iptables v1.4.2, Linux whitestar 2.6.32.8. 

Hope this helps somebody  :Smile: 

----------

## Hu

 *tftd wrote:*   

> This will work:
> 
> Hope this helps somebody 

 Setting aside that you woke up a thread that was dormant for more than four months, your proposed solution does not work because the proposed problem cannot be solved purely in iptables.  The commands you gave will execute successfully, but will not achieve the goal specified by the original poster.  His request was to have two or more DNS A records that point to the same IP address and to have iptables treat the incoming connection differently depending upon which A record was used to find the server's address.  This is impossible because TCP/IP does not provide a way for the client to specify what DNS A record (if any) it used to find the server.  Higher level protocols, such as HTTP, allow clients to pass along this information, but iptables must make a decision long before the higher level protocol has sent that information.  Thus, the vhost approach that he indicated he would pursue is necessary, since that decision can be deferred until the HTTP transaction has sent which hostname was used.

----------

