How to redirect traffic based on incoming subdomain?

S

Solaris

Currently I have the following jail setup:

Code: 
dns : 10.1.1.1 at lo111
ircd : 10.2.2.2 at lo222
www: 10.3.3.3 at lo333
db: 10.4.4.4 at lo444

And as for WAN IP (let's assume it's 123.123.123.123) I only have one assigned to my box, my A record DNS currently:

Code: 
irc.domain.tld 123.123.123.123
www.domain.tld 123.123.123.123
domain.tld 123.123.123.123


My current pf.conf taken and quickly edited from the awesome quick jail guide in the how-to sub-forum :
Code: 
####Interfaces
ext_if="re0"
jail_if_www="lo333"
jail_if_db="lo444"
jail_if_irc="lo222"
jail_if_dns="lo111"

####IP Assignment
IP_PUB="123.123.123.123"
IP_JAIL_WWW="10.3.3.3"
IP_JAIL_DB="10.4.4.4"
IP_JAIL_IRC="10.2.2.2"
IP_JAIL_DNS="10.1.1.1"

###Jail Network
NET_JAIL_WWW="10.3.3.0/24"
NET_JAIL_DB="10.4.4.0/24"
NET_JAIL_IRC="10.2.2.0/24"
NET_JAIL_DNS="10.1.1.0/24"

###PORT
PORT_WWW="{80,443}"
PORT_DB="{3306,9200}"
PORT_IRC="{6667}"
PORT_IRC_LOCAL="{8080}"
PORT_DNS="{53}"

scrub in all

# nat www jail traffic
nat pass on $ext_if from $NET_JAIL_WWW to any -> $IP_PUB

# temp outbound access for DB
nat pass on $ext_if from $NET_JAIL_DB to any -> $IP_PUB

# temp outbound access for IRC
nat pass on $ext_if from $NET_JAIL_IRC to any -> $IP_PUB

# redirect irc port traffic from outbound
rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_IRC -> $IP_JAIL_IRC

# redirect www port traffic
rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_WWW -> $IP_JAIL_WWW


# enable DB access from www
rdr pass on $jail_if_www proto tcp from any to $IP_JAIL_DB port $PORT_DB -> $IP_JAIL_DB

# enable xml-rpc irc access from www
rdr pass on $jail_if_www proto tcp from any to $IP_JAIL_IRC port $PORT_IRC_LOCAL -> $IP_JAIL_IRC

## enable DNS access from all local network
##tcp
rdr pass on $jail_if_www proto tcp from any to $IP_JAIL_DNS port $PORT_DNS -> $IP_JAIL_DNS
rdr pass on $jail_if_db proto tcp from any to $IP_JAIL_DNS port $PORT_DNS -> $IP_JAIL_DNS
rdr pass on $jail_if_irc proto tcp from any to $IP_JAIL_DNS port $PORT_DNS -> $IP_JAIL_DNS
##udp
rdr pass on $jail_if_www proto udp from any to $IP_JAIL_DNS port $PORT_DNS -> $IP_JAIL_DNS
rdr pass on $jail_if_db proto udp from any to $IP_JAIL_DNS port $PORT_DNS -> $IP_JAIL_DNS
rdr pass on $jail_if_irc proto udp from any to $IP_JAIL_DNS port $PORT_DNS -> $IP_JAIL_DNS

##Jail dns
nat pass on $ext_if from $NET_JAIL_DNS to any -> $IP_PUB

The problem is when a user's trying to browse to http://irc.domain.tld, it will instead automatically resolve into the main domain.tld site which is served by nginx. The way that I wanted to do it is to sort incoming traffic based on subdomain request, so if a user wanted to browse irc.domain.tld it will fail to resolve and while using port 6667 it will pass into ircd jail.

Is it possible within pf rules scope? Or would I need more tinkering with the DNS records?
 
PF only looks at layer 3/4, what you want to do happens on layer 7.

Resolving irc.domain.tld happens outside of your scope too. So you have no control over it.
 
So the solution is either getting more WAN IPs or pointing my domain DNS to my own DNS setup, set the records to my jails?
 
Then you still have no control over the resolving itself. You want something that resolves irc.mydomain.tld only when connecting to port 6667. But the resolving happens before any connection is made. The resolving also happens on the clients, which you do not control.
 
You must log in or register to reply here.
Back
Top