LARTC - Jan 2006 - RE: Fwd: Several IP''s, one mail and http server

You want multiple IP Addresses for email if you are hosting more than
one domain.  The reason is, everyone now checks for reverse DNS with
email so you need a different public IP Address for each email domain.
This way, all the reverse DNS translations will be unique.  

For apache, you can have multiple websites sharing the same IP Address
as long as you don''t do anything with SSL.  SSL requires a unique IP
Address for every website because of the way the protocol works.  So you
can use either name virtual hosts or IP based virtual hosts, your
choice.

Note that if you are hosting email and websites for the same domain, it
**might**  be convenient for the email and website for each domain to
share an IP Address.  

Let''s say you decide you want unique IP Addresses for everything.  

Let''s also say you have an external address range of, say, 1.2.3.0/29.
So this gives you the following IP Addresses, which we will asign like
this:

1.2.3.0  not ussable - defines the network
1.2.3.1  Outside (WAN) firewall interface
1.2.3.2  Public IP for first email
1.2.3.3  Public IP for 2nd email
1.2.3.4  Public IP for first website
1.2.3.5  Public IP for 2nd website
1.2.3.6  available for other stuff
1.2.3.7  defines the broadcast

Let''s further say you have an internal LAN with, say, 192.168.0.0/24.
Let''s assign these IP Addresses:

192.168.0.1  Inside (LAN) firewall interface
             This is the internal gateway everyone uses
192.168.0.2  Private IP for first email
192.168.0.3  Private IP for 2nd email
192.168.0.4  Private IP for first website
192.168.0.5  Private IP for 2nd website

Note that hosts 192.168.0.2 through .5 all point to the same physical
box.  This box could be Linux, Windows, or (pick your poison).  It hosts
all the websites and email domains.  So you have a firewall at
192.168.0.1 and another box with .2 thru .5.  

The firewall has 2 interfaces - one inside and one outside.  Let''s say
that interface eth0 is the outside and eth1 is inside.  

Next we need firewall rules.  Here are some code fragments that should
minimally do the trick:

*****************************************************************
.
.
.
PUBLIC_EMAIL1_IP="1.2.3.2"	# First mail server
PRIVATE_EMAIL1_IP="192.168.0.2"

PUBLIC_EMAIL2_IP="1.2.3.3"	# 2nd mail server
PRIVATE_EMAIL2_IP="192.168.0.3"

PUBLIC_WEB1_IP="1.2.3.4"	# First web server
PRIVATE_WEB1_IP="192.168.0.4"

PUBLIC_WEB2_IP="1.2.3.5"	# 2nd web server
PRIVATE_WEB2_IP="192.168.0.5"
.
.
.
# Email might butcher the text wrapping below
/sbin/ifconfig eth0:0 $PUBLIC_EMAIL1_IP	netmask 255.255.255.248
broadcast 1.2.3.7
/sbin/ifconfig eth0:1 $PUBLIC_EMAIL2_IP	netmask 255.255.255.248
broadcast 1.2.3.7
/sbin/ifconfig eth0:2 $PUBLIC_WEB1_IP	netmask 255.255.255.248
broadcast 1.2.3.7
/sbin/ifconfig eth0:3 $PUBLIC_WEB2_IP	netmask 255.255.255.248
broadcast 1.2.3.7

# You need a POSTROUTING rule for email.
echo "	Email (outbound SMTP, port 25)"
$IPTABLES -t nat -A POSTROUTING -o eth0 -p TCP --dport 25 \
	-s $PRIVATE_EMAIL1_IP -j SNAT --to $PUBLIC_EMAIL1_IP
.
.
.
# You need FORWARDing rules.  Email might butcher text wrapping.
echo "	Email packets for ports 25 (SMTP), 110 (POP3), and 143 (IMAP)"
$IPTABLES -A FORWARD -p TCP --dport 25 -s 0/0 -d $PRIVATE_EMAIL1_IP -j
ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 110 -s 0/0 -d $PRIVATE_EMAIL1_IP -j
ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 143 -s 0/0 -d $PRIVATE_EMAIL1_IP -j
ACCEPT

$IPTABLES -A FORWARD -p TCP --dport 25 -s 0/0 -d $PRIVATE_EMAIL2_IP -j
ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 110 -s 0/0 -d $PRIVATE_EMAIL2_IP -j
ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 143 -s 0/0 -d $PRIVATE_EMAIL2_IP -j
ACCEPT

echo "	WWW packets (port 80)"
$IPTABLES -A FORWARD -p TCP --dport 80 -s 0/0 -d $PRIVATE_WEB1_IP -j
ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 80 -s 0/0 -d $PRIVATE_WEB2_IP -j
ACCEPT
.
.
.
# And you need PREROUTING rules
echo "	HTTP"
$IPTABLES -t nat -A PREROUTING -i eth0 -d $PUBLIC_WEB1_IP \
		-p tcp --dport 80 -j DNAT --to $PRIVATE_WEB1_IP
$IPTABLES -t nat -A PREROUTING -i eth0  -d $PUBLIC_WEB2_IP \
		-p tcp --dport 80 -j DNAT --to $PRIVATE_WEB2_IP

echo "	Email - SMTP, POP3, and IMAP"
$IPTABLES -t nat -A PREROUTING -i eth0  -d $PUBLIC_EMAIL1_IP \
		-p tcp --dport 25 -j DNAT --to $PRIVATE_EMAIL1_IP
$IPTABLES -t nat -A PREROUTING -i eth0  -d $PUBLIC_EMAIL1_IP \
		-p tcp --dport 110 -j DNAT --to $PRIVATE_EMAIL1_IP
$IPTABLES -t nat -A PREROUTING -i eth0  -d $PUBLIC_EMAIL1_IP \
		-p tcp --dport 143 -j DNAT --to $PRIVATE_EMAIL1_IP

$IPTABLES -t nat -A PREROUTING -i eth0  -d $PUBLIC_EMAIL2_IP \
		-p tcp --dport 25 -j DNAT --to $PRIVATE_EMAIL2_IP
$IPTABLES -t nat -A PREROUTING -i eth0  -d $PUBLIC_EMAIL2_IP \
		-p tcp --dport 110 -j DNAT --to $PRIVATE_EMAIL2_IP
$IPTABLES -t nat -A PREROUTING -i eth0  -d $PUBLIC_EMAIL2_IP \
		-p tcp --dport 143 -j DNAT --to $PRIVATE_EMAIL2_IP

Note that you can inmprove on the rules in the FORWARD chain.  You''ll
want to test for RELATED and ESTABLISHED and not just blindly ACCEPT
incoming packets on those ports.  Think about jumping to a user defined
table that tests for this instead of directly to ACCEPT.  

- Greg Scott



-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Aleksander
Sent: Monday, January 02, 2006 10:08 AM
To: lartc@mailman.ds9a.nl
Subject: Re: Fwd: [LARTC] Several IP''s, one mail and http server


Edmundo Carmona wrote:
>There was a typo. It was DNAT, and not DAN
>
>---------- Forwarded message ----------
>From: Edmundo Carmona <eantoranz@gmail.com>
>Date: Jan 2, 2006 11:47 AM
>Subject: Re: [LARTC] Several IP''s, one mail and http server
>To: lartc <LARTC@mailman.ds9a.nl>
>
>
>If I understand correctly, the server is not directly connected to the 
>internet, right?
>
>There are some boxes connected to the internet instead... am I right?
>  
>
One connection, several IP addrs with their own host names. One gateway 
with these several external IPs. The gateway has one internal IP too, of

course. The gateway does SNAT for the internal LAN.

Clients connect to the gateway using different hostnames and therefore 
different IP''s.

They are connecting to a webserver, which is in the internel LAN. They 
can connect thanks to DNAT (one DNAT for each IP to the same box in the 
LAN).

When the server on the internal LAN answers the requests, his external 
IP is assigned by the SNAT rule. If that external IP is not the same as 
the one to which the client connected, the client will drop the servers 
responses --- they come from a different IP, as he connected to in the 
first place.

The only way I see to make it work would have apache to use IP based 
virtual hosts. That requires virtual interfaces, correct?

By clients I mean random users all over the Internet who connect to 
different IPs on the same gateway.

How other machines in the LAN connect to the webserver using valid 
hostnames is another business, easily resolved with DNS zones.

Hope you can figure this out. Thanks for interest, I''ll be back
tomorrow.

    Alex
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

W Twoim liście datowanym 2 stycznia 2006 (18:51:25) można przeczytać:

GS> You want multiple IP Addresses for email if you are hosting more than
GS> one domain.  The reason is, everyone now checks for reverse DNS with
GS> email so you need a different public IP Address for each email domain.
GS> This way, all the reverse DNS translations will be unique.  

IMHO it is not true. Novadays, it is required for a mail server to
have a valid reverse dns record. But it doesn''t have to point back to
the same name. It would lead to very very poor IP space usage - eg.
virtual hosting provider, which has 300 domains would need 300 IP''s
even if all of them are hosted on 1 machine, and number of domains can
MUCH higher than all of the IPs.

mail.domainA.com - WW.XX.YY.ZZ
ZZ.YY.XX.WW.in-addr.arpa PTR -  host.domainB.com
host.domainB.com - WW.XX.YY.ZZ

for an egzample one of the bigest portals - yahoo:

dig yahoo.com MX -  mx1.mail.yahoo.com - 67.28.113.10, 67.28.113.11
dig 10.113.28.67.in-addr.arpa PTR -  mta-v4.level3.mail.yahoo.com.
dig mta-v4.level3.mail.yahoo.com. -  67.28.113.10

Citation from one of the mail server manuals:
         If you have a PTR record for your IP address, and the target
         of the PTR record has an A record pointing back to that same
         IP address, mail will not be rejected from your server due
         to an invalid PTR.

-- 
Pozdrowienia,
 Robert Kurjata

>> IMHO it is not true. Novadays, it is required for a mail server to have
a valid
>> reverse dns record. But it doesn''t have to point back to the
same name. It would
>> lead to very very poor IP space usage - eg. virtual hosting provider,
which has
>> 300 domains would need 300 IP''s even if all of them are hosted
on 1 machine,
>> and number of domains can MUCH higher than all of the IPs.
I wish!  I''ve run across places that seem to check that the reverse DNS
matches the forward DNS name.  I''ve seen it with Comcast and I gotta
believe there are others doing it.  It is a pain for me because I have to
consume a precious IP Address for each email domain I host here.  It may be
possible that the big hosters know about each other and make special
arrangements with each other to which little ol'' me is not privvy.  If
anyone out there has any connections with the Comcast DNS people, I''d
love to talk to you about this and other issues - but we''re straying
off the original topic.

- Greg



-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On
Behalf Of Robert Kurjata
Sent: Monday, January 02, 2006 4:02 PM
To: lartc@mailman.ds9a.nl
Subject: Re[2]: Fwd: [LARTC] Several IP''s, one mail and http server



W Twoim liście datowanym 2 stycznia 2006 (18:51:25) można przeczytać:

GS> You want multiple IP Addresses for email if you are hosting more 
GS> than one domain.  The reason is, everyone now checks for reverse DNS 
GS> with email so you need a different public IP Address for each email 
GS> domain. This way, all the reverse DNS translations will be unique.

IMHO it is not true. Novadays, it is required for a mail server to have a valid
reverse dns record. But it doesn''t have to point back to the same name.
It would lead to very very poor IP space usage - eg. virtual hosting provider,
which has 300 domains would need 300 IP''s even if all of them are
hosted on 1 machine, and number of domains can MUCH higher than all of the IPs.

mail.domainA.com - WW.XX.YY.ZZ
ZZ.YY.XX.WW.in-addr.arpa PTR -  host.domainB.com host.domainB.com - WW.XX.YY.ZZ

for an egzample one of the bigest portals - yahoo:

dig yahoo.com MX -  mx1.mail.yahoo.com - 67.28.113.10, 67.28.113.11 dig
10.113.28.67.in-addr.arpa PTR -  mta-v4.level3.mail.yahoo.com. dig
mta-v4.level3.mail.yahoo.com. -  67.28.113.10

Citation from one of the mail server manuals:
         If you have a PTR record for your IP address, and the target
         of the PTR record has an A record pointing back to that same
         IP address, mail will not be rejected from your server due
         to an invalid PTR.

-- 
Pozdrowienia,
 Robert Kurjata

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Greg Scott wrote:
>I wish!  I''ve run across places that seem to check that the reverse
DNS matches the forward DNS name.  I''ve seen it with Comcast and I
gotta believe there are others doing it.  It is a pain for me because I have to
consume a precious IP Address for each email domain I host here.  It may be
possible that the big hosters know about each other and make special
arrangements with each other to which little ol'' me is not privvy.  If
anyone out there has any connections with the Comcast DNS people, I''d
love to talk to you about this and other issues - but we''re straying
off the original topic.
>
>- Greg
>  
>
My mailservers will have their own reverse. ATM they don''t and work
fine
too. It''s not an issue. Sorry to hear you have to mess with that.

What you proposed is kind of the thing I had in mind. Instead of all the 
forwarding rules I use "echo 1 > /proc/sys/net/ipv4/ip_forward". Is
the
additional checking you propose worth it?

So the question, if I have to create virtual interfaces on the internal 
box should be answered "YES, that''s the only way"?

Have you had experience setting up postfix to work on several 
interfaces? I have an idea, how to make apache work, quite familiar with 
virtual hosts, but not postfix. It''s not really a topic for this list 
though.

Thanks,
    Alex

Note: I seem to be missing the the first email of Greg, the one Robert 
quoted. No idea why, there''s even no spam filtering at my end. Found it
in the archives anyway.

> What you proposed is kind of the thing I had in mind. Instead of all
the 
> forwarding rules I use "echo 1 >
/proc/sys/net/ipv4/ip_forward". Is
the 
> additional checking you propose worth it?
Even with the approach I proposed you still have to turn on ip_forward.
If you''re going to use multiple IP Addresses, somebody has to listen on
all those addresses and the firewall is the right box to do it - that is
its job.  So then you set up appropriate DNAT, SNAT, and FORWARDing
rules so the application servers only see traffic they are supposed to
see.  There are probably other ways to do it, but this is the way I use
and it works well.  

Re: Postfix - I spent lots of time inside this book:  Postfix, Richard
Blum, Sams Publishing, 2001.  I''ll bet there''s a newer edition
out by
now.  

- Greg


-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Aleksander
Sent: Tuesday, January 03, 2006 1:16 AM
To: lartc@mailman.ds9a.nl
Subject: Re: Fwd: [LARTC] Several IP''s, one mail and http server


Greg Scott wrote:
>I wish!  I''ve run across places that seem to check that the reverse
DNS
>matches the forward DNS name.  I''ve seen it with Comcast and I
gotta
believe there are others doing it.  It is a pain for me because I have
to consume a precious IP Address for each email domain I host here.  It
may be possible that the big hosters know about each other and make
special arrangements with each other to which little ol'' me is not
privvy.  If anyone out there has any connections with the Comcast DNS
people, I''d love to talk to you about this and other issues - but
we''re
straying off the original topic.
>
>- Greg
>  
>
My mailservers will have their own reverse. ATM they don''t and work
fine

too. It''s not an issue. Sorry to hear you have to mess with that.

What you proposed is kind of the thing I had in mind. Instead of all the

forwarding rules I use "echo 1 > /proc/sys/net/ipv4/ip_forward". Is
the
additional checking you propose worth it?

So the question, if I have to create virtual interfaces on the internal 
box should be answered "YES, that''s the only way"?

Have you had experience setting up postfix to work on several 
interfaces? I have an idea, how to make apache work, quite familiar with

virtual hosts, but not postfix. It''s not really a topic for this list 
though.

Thanks,
    Alex

Note: I seem to be missing the the first email of Greg, the one Robert 
quoted. No idea why, there''s even no spam filtering at my end. Found it
in the archives anyway. _______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc