Hi,
I want to have several IP''s for my connection and each IP will have
it''s
own hostname.
Now I want to serve a web server and mail server for each
hostname/IP_addr pair on the same box in the internal LAN using one
apache and one postfix daemon.
If I do one SNAT and several DNATs then only the hostname which I SNAT
the server to would work.
Is the only way to do it correctly by assigning the internal server
several IP''s (virtual interfaces) and then make SNAT and DNATs for each
interface/IP_addr individually?
ATM I''ve got one IP and several hostnames. Using DNAT and
apache''s name
based virtual hosts things work. Planning on getting each hostname it''s
own IP address, but continue to use the same http server for all the
hosts, at least for now.
Configuring the mail server might be even trickier, don''t know if
Postfix supports listening on different interfaces and have a different
hostname for each interface/IP. I know it''s OK if Postfix tells SMTP
clients that its hostname is A, although the clients connected to
hostname B, but it''s still ugly.
The gateway and server are linuxes (correct spelling?) of course. And
the gateway stays, the server has to stay in the LAN. So would the
virtual interface solution work and is it the only one?
Thanks in advance,
Alex
I don''t know about the mail server, but apache supports virtual domains, and so the requests will be served differently depending on the request''s domain, and not the IP of the host. A single IP should do the trick. On 1/2/06, Aleksander <aleksander@krediidiinfo.ee> wrote:> Hi, > > I want to have several IP''s for my connection and each IP will have it''s > own hostname. > > Now I want to serve a web server and mail server for each > hostname/IP_addr pair on the same box in the internal LAN using one > apache and one postfix daemon. > > If I do one SNAT and several DNATs then only the hostname which I SNAT > the server to would work. > > Is the only way to do it correctly by assigning the internal server > several IP''s (virtual interfaces) and then make SNAT and DNATs for each > interface/IP_addr individually? > > ATM I''ve got one IP and several hostnames. Using DNAT and apache''s name > based virtual hosts things work. Planning on getting each hostname it''s > own IP address, but continue to use the same http server for all the > hosts, at least for now. > > Configuring the mail server might be even trickier, don''t know if > Postfix supports listening on different interfaces and have a different > hostname for each interface/IP. I know it''s OK if Postfix tells SMTP > clients that its hostname is A, although the clients connected to > hostname B, but it''s still ugly. > > The gateway and server are linuxes (correct spelling?) of course. And > the gateway stays, the server has to stay in the LAN. So would the > virtual interface solution work and is it the only one? > > Thanks in advance, > Alex > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >
Edmundo Carmona wrote:>I don''t know about the mail server, but apache supports virtual >domains, and so the requests will be served differently depending on >the request''s domain, and not the IP of the host. A single IP should >do the trick. >Yes, that''s the case when the hostnames have the same IP. But when they have different ones and apache tries to answer their request, the clients will denied it, as it comes from a different IP. Some ascii ''art'' might help: 192.168.0.10 has external IP a.b.c.d (iptables SNAT) a.b.c.d:80 DNAT \ ---> 192.168.0.10:80 a.b.c.f:80 DNAT / The request from the client arrives at apache and apache answers, no matter via which external IP it comes. But when the request comes via a.b.c.f, then the client will be expecting the answer form a.b.c.f, not a.b.c.d, where it will come from. Apache is assigned a.b.c.d and has no way of changing that, actually apache thinks it sending from 192.168.0.10 anyway. The only solution I see is having a (virtual) interface for each external IP. That so?
Can you SNAT (or masquerade) the requests before they are forwarded to the WEB SERVER? That would do the trick (but destroy the statistics :-( ) On 1/2/06, Aleksander <aleksander@krediidiinfo.ee> wrote:> Edmundo Carmona wrote: > > >I don''t know about the mail server, but apache supports virtual > >domains, and so the requests will be served differently depending on > >the request''s domain, and not the IP of the host. A single IP should > >do the trick. > > > Yes, that''s the case when the hostnames have the same IP. But when they > have different ones and apache tries to answer their request, the > clients will denied it, as it comes from a different IP. > > Some ascii ''art'' might help: > > 192.168.0.10 has external IP a.b.c.d (iptables SNAT) > > a.b.c.d:80 DNAT \ > ---> 192.168.0.10:80 > a.b.c.f:80 DNAT / > > The request from the client arrives at apache and apache answers, no > matter via which external IP it comes. But when the request comes via > a.b.c.f, then the client will be expecting the answer form a.b.c.f, not > a.b.c.d, where it will come from. Apache is assigned a.b.c.d and has no > way of changing that, actually apache thinks it sending from > 192.168.0.10 anyway. > > The only solution I see is having a (virtual) interface for each > external IP. That so? > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >
Edmundo Carmona wrote:>Can you SNAT (or masquerade) the requests before they are forwarded to >the WEB SERVER? That would do the trick (but destroy the statistics >:-( ) >I can''t really imagine doing a iptables SNAT (and delete!) for each connection which is DNAT''ed. And even if that would be possible, be cause there are several services running the SNATting would fall out of sync instantly. If that is what you propose.
If I understand correctly, the server is not directly connected to the internet, right? There are some boxes connected to the internet instead... am I right? If that''s the case, in those boxes: # your DNAT so requests are forwarded to the web server iptables -t nat -A PREROUNTING blah blah -j DAN --to-destination webServersIP # my SNAT so web requests will (sure as hell) come back this way. iptables -t nat -A POSTROUTING -p pct --dport 80 -j SNAT thisHostsIP Did I nail it? On 1/2/06, Aleksander <aleksander@krediidiinfo.ee> wrote:> Edmundo Carmona wrote: > > >Can you SNAT (or masquerade) the requests before they are forwarded to > >the WEB SERVER? That would do the trick (but destroy the statistics > >:-( ) > > > I can''t really imagine doing a iptables SNAT (and delete!) for each > connection which is DNAT''ed. And even if that would be possible, be > cause there are several services running the SNATting would fall out of > sync instantly. If that is what you propose. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >
There was a typo. It was DNAT, and not DAN ---------- Forwarded message ---------- From: Edmundo Carmona <eantoranz@gmail.com> Date: Jan 2, 2006 11:47 AM Subject: Re: [LARTC] Several IP''s, one mail and http server To: lartc <LARTC@mailman.ds9a.nl> If I understand correctly, the server is not directly connected to the internet, right? There are some boxes connected to the internet instead... am I right? If that''s the case, in those boxes: # your DNAT so requests are forwarded to the web server iptables -t nat -A PREROUNTING blah blah -j DAN --to-destination webServersIP # my SNAT so web requests will (sure as hell) come back this way. iptables -t nat -A POSTROUTING -p pct --dport 80 -j SNAT thisHostsIP Did I nail it?
Edmundo Carmona wrote:>There was a typo. It was DNAT, and not DAN > >---------- Forwarded message ---------- >From: Edmundo Carmona <eantoranz@gmail.com> >Date: Jan 2, 2006 11:47 AM >Subject: Re: [LARTC] Several IP''s, one mail and http server >To: lartc <LARTC@mailman.ds9a.nl> > > >If I understand correctly, the server is not directly connected to the >internet, right? > >There are some boxes connected to the internet instead... am I right? > >One connection, several IP addrs with their own host names. One gateway with these several external IPs. The gateway has one internal IP too, of course. The gateway does SNAT for the internal LAN. Clients connect to the gateway using different hostnames and therefore different IP''s. They are connecting to a webserver, which is in the internel LAN. They can connect thanks to DNAT (one DNAT for each IP to the same box in the LAN). When the server on the internal LAN answers the requests, his external IP is assigned by the SNAT rule. If that external IP is not the same as the one to which the client connected, the client will drop the servers responses --- they come from a different IP, as he connected to in the first place. The only way I see to make it work would have apache to use IP based virtual hosts. That requires virtual interfaces, correct? By clients I mean random users all over the Internet who connect to different IPs on the same gateway. How other machines in the LAN connect to the webserver using valid hostnames is another business, easily resolved with DNS zones. Hope you can figure this out. Thanks for interest, I''ll be back tomorrow. Alex