Josh Trutwin wrote: > I know that I can only have one SSL site per IP address with Apache: > http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 > > Unfortunately, my web server is running inside a private LAN on IP 192.168.0.3. > > I have 5 public IP addresses that all web traffic routes to this box for the time being. > > What I'm wondering is, can I give this server multiple private IPs (it's a small network so there are plenty available!) and use iptables to NAT traffic to a different private IP address (but which still routes to the same physical web server) based on which public IP address traffic is coming in on? yes, just add aliases for the range of private IP's you want to nat to on eth0 on your inside box. Add something like this to your boot scripts, or if you're on a RH based box just create /etc/sysconfig/network-scripts/ifcfg-eth0:0 (start with a copy of ifcfg-eth0 and just edit that): ifconfig eth0:0 192.168.0.3 netmask 255.255.255.0 up ifconfig eth0:1 192.168.0.103 netmask 255.255.255.0 up ifconfig eth0:2 192.168.0.104 netmask 255.255.255.0 up and so on.... for debian you would add them to the /etc/network/interfaces file. <snip> > SSL coming in on 24.16.106.242? NAT to 192.168.0.3 > SSL coming in on 24.16.106.243? NAT to 192.168.0.103 > SSL coming in on 24.16.106.244? NAT to 192.168.0.104 > etc. > > The only part I don't know how to do is the iptables part. Is there a way to filter on which of my public IP addresses the traffic is coming in on? Chad already posted the iptables rule you'll need to add to accomplish the port forwarding. -- scot _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list