RE: Fwd: Several IP's, one mail and http server

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

You want multiple IP Addresses for email if you are hosting more than
one domain.  The reason is, everyone now checks for reverse DNS with
email so you need a different public IP Address for each email domain.
This way, all the reverse DNS translations will be unique.  

For apache, you can have multiple websites sharing the same IP Address
as long as you don't do anything with SSL.  SSL requires a unique IP
Address for every website because of the way the protocol works.  So you
can use either name virtual hosts or IP based virtual hosts, your
choice.

Note that if you are hosting email and websites for the same domain, it
**might**  be convenient for the email and website for each domain to
share an IP Address.  

Let's say you decide you want unique IP Addresses for everything.  

Let's also say you have an external address range of, say, 1.2.3.0/29.
So this gives you the following IP Addresses, which we will asign like
this:

1.2.3.0  not ussable - defines the network
1.2.3.1  Outside (WAN) firewall interface
1.2.3.2  Public IP for first email
1.2.3.3  Public IP for 2nd email
1.2.3.4  Public IP for first website
1.2.3.5  Public IP for 2nd website
1.2.3.6  available for other stuff
1.2.3.7  defines the broadcast

Let's further say you have an internal LAN with, say, 192.168.0.0/24.
Let's assign these IP Addresses:

192.168.0.1  Inside (LAN) firewall interface
             This is the internal gateway everyone uses
192.168.0.2  Private IP for first email
192.168.0.3  Private IP for 2nd email
192.168.0.4  Private IP for first website
192.168.0.5  Private IP for 2nd website

Note that hosts 192.168.0.2 through .5 all point to the same physical
box.  This box could be Linux, Windows, or (pick your poison).  It hosts
all the websites and email domains.  So you have a firewall at
192.168.0.1 and another box with .2 thru .5.  

The firewall has 2 interfaces - one inside and one outside.  Let's say
that interface eth0 is the outside and eth1 is inside.  

Next we need firewall rules.  Here are some code fragments that should
minimally do the trick:

*****************************************************************
.
.
.
PUBLIC_EMAIL1_IP="1.2.3.2"	# First mail server
PRIVATE_EMAIL1_IP="192.168.0.2"

PUBLIC_EMAIL2_IP="1.2.3.3"	# 2nd mail server
PRIVATE_EMAIL2_IP="192.168.0.3"

PUBLIC_WEB1_IP="1.2.3.4"	# First web server
PRIVATE_WEB1_IP="192.168.0.4"

PUBLIC_WEB2_IP="1.2.3.5"	# 2nd web server
PRIVATE_WEB2_IP="192.168.0.5"
.
.
.
# Email might butcher the text wrapping below
/sbin/ifconfig eth0:0 $PUBLIC_EMAIL1_IP	netmask 255.255.255.248
broadcast 1.2.3.7
/sbin/ifconfig eth0:1 $PUBLIC_EMAIL2_IP	netmask 255.255.255.248
broadcast 1.2.3.7
/sbin/ifconfig eth0:2 $PUBLIC_WEB1_IP	netmask 255.255.255.248
broadcast 1.2.3.7
/sbin/ifconfig eth0:3 $PUBLIC_WEB2_IP	netmask 255.255.255.248
broadcast 1.2.3.7

# You need a POSTROUTING rule for email.
echo "	Email (outbound SMTP, port 25)"
$IPTABLES -t nat -A POSTROUTING -o eth0 -p TCP --dport 25 \
	-s $PRIVATE_EMAIL1_IP -j SNAT --to $PUBLIC_EMAIL1_IP
.
.
.
# You need FORWARDing rules.  Email might butcher text wrapping.
echo "	Email packets for ports 25 (SMTP), 110 (POP3), and 143 (IMAP)"
$IPTABLES -A FORWARD -p TCP --dport 25 -s 0/0 -d $PRIVATE_EMAIL1_IP -j
ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 110 -s 0/0 -d $PRIVATE_EMAIL1_IP -j
ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 143 -s 0/0 -d $PRIVATE_EMAIL1_IP -j
ACCEPT

$IPTABLES -A FORWARD -p TCP --dport 25 -s 0/0 -d $PRIVATE_EMAIL2_IP -j
ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 110 -s 0/0 -d $PRIVATE_EMAIL2_IP -j
ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 143 -s 0/0 -d $PRIVATE_EMAIL2_IP -j
ACCEPT

echo "	WWW packets (port 80)"
$IPTABLES -A FORWARD -p TCP --dport 80 -s 0/0 -d $PRIVATE_WEB1_IP -j
ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 80 -s 0/0 -d $PRIVATE_WEB2_IP -j
ACCEPT
.
.
.
# And you need PREROUTING rules
echo "	HTTP"
$IPTABLES -t nat -A PREROUTING -i eth0 -d $PUBLIC_WEB1_IP \
		-p tcp --dport 80 -j DNAT --to $PRIVATE_WEB1_IP
$IPTABLES -t nat -A PREROUTING -i eth0  -d $PUBLIC_WEB2_IP \
		-p tcp --dport 80 -j DNAT --to $PRIVATE_WEB2_IP

echo "	Email - SMTP, POP3, and IMAP"
$IPTABLES -t nat -A PREROUTING -i eth0  -d $PUBLIC_EMAIL1_IP \
		-p tcp --dport 25 -j DNAT --to $PRIVATE_EMAIL1_IP
$IPTABLES -t nat -A PREROUTING -i eth0  -d $PUBLIC_EMAIL1_IP \
		-p tcp --dport 110 -j DNAT --to $PRIVATE_EMAIL1_IP
$IPTABLES -t nat -A PREROUTING -i eth0  -d $PUBLIC_EMAIL1_IP \
		-p tcp --dport 143 -j DNAT --to $PRIVATE_EMAIL1_IP

$IPTABLES -t nat -A PREROUTING -i eth0  -d $PUBLIC_EMAIL2_IP \
		-p tcp --dport 25 -j DNAT --to $PRIVATE_EMAIL2_IP
$IPTABLES -t nat -A PREROUTING -i eth0  -d $PUBLIC_EMAIL2_IP \
		-p tcp --dport 110 -j DNAT --to $PRIVATE_EMAIL2_IP
$IPTABLES -t nat -A PREROUTING -i eth0  -d $PUBLIC_EMAIL2_IP \
		-p tcp --dport 143 -j DNAT --to $PRIVATE_EMAIL2_IP

Note that you can inmprove on the rules in the FORWARD chain.  You'll
want to test for RELATED and ESTABLISHED and not just blindly ACCEPT
incoming packets on those ports.  Think about jumping to a user defined
table that tests for this instead of directly to ACCEPT.  

- Greg Scott



-----Original Message-----
From: lartc-bounces@xxxxxxxxxxxxxxx
[mailto:lartc-bounces@xxxxxxxxxxxxxxx] On Behalf Of Aleksander
Sent: Monday, January 02, 2006 10:08 AM
To: lartc@xxxxxxxxxxxxxxx
Subject: Re: Fwd:  Several IP's, one mail and http server


Edmundo Carmona wrote:

>There was a typo. It was DNAT, and not DAN
>
>---------- Forwarded message ----------
>From: Edmundo Carmona <eantoranz@xxxxxxxxx>
>Date: Jan 2, 2006 11:47 AM
>Subject: Re:  Several IP's, one mail and http server
>To: lartc <LARTC@xxxxxxxxxxxxxxx>
>
>
>If I understand correctly, the server is not directly connected to the 
>internet, right?
>
>There are some boxes connected to the internet instead... am I right?
>  
>
One connection, several IP addrs with their own host names. One gateway 
with these several external IPs. The gateway has one internal IP too, of

course. The gateway does SNAT for the internal LAN.

Clients connect to the gateway using different hostnames and therefore 
different IP's.

They are connecting to a webserver, which is in the internel LAN. They 
can connect thanks to DNAT (one DNAT for each IP to the same box in the 
LAN).

When the server on the internal LAN answers the requests, his external 
IP is assigned by the SNAT rule. If that external IP is not the same as 
the one to which the client connected, the client will drop the servers 
responses --- they come from a different IP, as he connected to in the 
first place.

The only way I see to make it work would have apache to use IP based 
virtual hosts. That requires virtual interfaces, correct?

By clients I mean random users all over the Internet who connect to 
different IPs on the same gateway.

How other machines in the LAN connect to the webserver using valid 
hostnames is another business, easily resolved with DNS zones.

Hope you can figure this out. Thanks for interest, I'll be back
tomorrow.

    Alex
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux