# How to redirect traffic based on incoming subdomain?



## Solaris (May 9, 2012)

Currently *I* have the following jail setup:


```
dns : 10.1.1.1 at lo111
ircd : 10.2.2.2 at lo222
www: 10.3.3.3 at lo333
db: 10.4.4.4 at lo444
```

And as for WAN IP (let's assume it's 123.123.123.123) *I* only have one assigned to my box, my A record DNS currently:


```
irc.domain.tld 123.123.123.123
www.domain.tld 123.123.123.123
domain.tld 123.123.123.123
```


My current pf.conf taken and quickly edited from the awesome quick jail guide in the how-to sub-forum :

```
####Interfaces
ext_if="re0"
jail_if_www="lo333"
jail_if_db="lo444"
jail_if_irc="lo222"
jail_if_dns="lo111"

####IP Assignment
IP_PUB="123.123.123.123"
IP_JAIL_WWW="10.3.3.3"
IP_JAIL_DB="10.4.4.4"
IP_JAIL_IRC="10.2.2.2"
IP_JAIL_DNS="10.1.1.1"

###Jail Network
NET_JAIL_WWW="10.3.3.0/24"
NET_JAIL_DB="10.4.4.0/24"
NET_JAIL_IRC="10.2.2.0/24"
NET_JAIL_DNS="10.1.1.0/24"

###PORT
PORT_WWW="{80,443}"
PORT_DB="{3306,9200}"
PORT_IRC="{6667}"
PORT_IRC_LOCAL="{8080}"
PORT_DNS="{53}"

scrub in all

# nat www jail traffic
nat pass on $ext_if from $NET_JAIL_WWW to any -> $IP_PUB

# temp outbound access for DB
nat pass on $ext_if from $NET_JAIL_DB to any -> $IP_PUB

# temp outbound access for IRC
nat pass on $ext_if from $NET_JAIL_IRC to any -> $IP_PUB

# redirect irc port traffic from outbound
rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_IRC -> $IP_JAIL_IRC

# redirect www port traffic
rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_WWW -> $IP_JAIL_WWW


# enable DB access from www
rdr pass on $jail_if_www proto tcp from any to $IP_JAIL_DB port $PORT_DB -> $IP_JAIL_DB

# enable xml-rpc irc access from www
rdr pass on $jail_if_www proto tcp from any to $IP_JAIL_IRC port $PORT_IRC_LOCAL -> $IP_JAIL_IRC

## enable DNS access from all local network
##tcp
rdr pass on $jail_if_www proto tcp from any to $IP_JAIL_DNS port $PORT_DNS -> $IP_JAIL_DNS
rdr pass on $jail_if_db proto tcp from any to $IP_JAIL_DNS port $PORT_DNS -> $IP_JAIL_DNS
rdr pass on $jail_if_irc proto tcp from any to $IP_JAIL_DNS port $PORT_DNS -> $IP_JAIL_DNS
##udp
rdr pass on $jail_if_www proto udp from any to $IP_JAIL_DNS port $PORT_DNS -> $IP_JAIL_DNS
rdr pass on $jail_if_db proto udp from any to $IP_JAIL_DNS port $PORT_DNS -> $IP_JAIL_DNS
rdr pass on $jail_if_irc proto udp from any to $IP_JAIL_DNS port $PORT_DNS -> $IP_JAIL_DNS

##Jail dns
nat pass on $ext_if from $NET_JAIL_DNS to any -> $IP_PUB
```

The problem is when a user's trying to browse to http://irc.domain.tld, it will instead automatically resolve into the main domain.tld site which is served by nginx. *T*he way that *I* wanted to do it is to sort incoming traffic based on subdomain request, so if a user wanted to browse irc.domain.tld it will fail to resolve and while using port 6667 it will pass into ircd jail.

Is it possible within pf rules scope? *O*r would *I* need more tinkering with the DNS records?


----------



## SirDice (May 9, 2012)

PF only looks at layer 3/4, what you want to do happens on layer 7.

Resolving irc.domain.tld happens outside of your scope too. So you have no control over it.


----------



## Solaris (May 9, 2012)

So the solution is either getting more WAN IPs or pointing my domain DNS to my own DNS setup, set the records to my jails?


----------



## SirDice (May 9, 2012)

Then you still have no control over the resolving itself. You want something that resolves irc.mydomain.tld _only_ when connecting to port 6667. But the resolving happens _before_ any connection is made. The resolving also happens on the clients, which you do not control.


----------



## Solaris (May 9, 2012)

Well my budget is tight, *I* haven't got enough funds to buy another NIC/IP/Box , anyway this solutions works for me, as you said earlier .


----------

