multi domains, single IP

Discussion in 'Linux Networking' started by buck, Mar 15, 2012.

  1. buck

    buck Guest

    I know it is possible to do this on a single computer. What I need to
    know is if it is possible to have each domain be specific to its own
    computer, and how to accomplish that.

    There is only one WAN IP address available.

    The setup is that one (Slackware) box's eth1 is connected to the ISP
    (WAN) while its eth0 is connected to a switch (LAN, with 192.168 IPs).
    Obviously, only one WAN connection is possible. At this time, there
    are 3 domains using that IP.

    I tried to use iptables' "string" match in the nat table to redirect
    incoming packets to the LAN IP of the computer indicated by the domain
    name. "-m string --string DOMAIN.NAME -j DNAT" in PREROUTING doesn't
    work; the domain string is not matched.

    The only required services for each of these domains are ftp and http.
    More specifically, domain A needs to provide ftp and http, domain B
    needs ftp, http, rsync & ssh; domain C needs those and more.

    Am I doomed to having these services all be on the Slackware box?
     
    buck, Mar 15, 2012
    #1
    1. Advertisements

  2. Hello,

    buck a écrit :
    What do you mean ?
    Do you mean 3 domain names with DNS address ressource records pointing
    to that address ?
    That cannot work. The nat chains, where you can use the DNAT target, see
    only the first packet (SYN) of a connection, which does not contain any
    data. The target host name is contained is a subsequent packet, but then
    it is too late, the NAT mapping cannot be changed.
    For HTTP 1.1, you need a reverse proxy. For other protocols such as FTP,
    the only "solution" is to use a different address or port with each
    domain name : unlike HTTP, these protocols do not advertise the targed
    host name in the payload.
    The problem would be the same on a single box.
     
    Pascal Hambourg, Mar 15, 2012
    #2
    1. Advertisements

  3. buck

    buck Guest

    It is not possible to connect more than one computer to the WAN.
    Conflicts occur otherwise; the OS complains that more than one
    computer has the same IP.
    No, it isn't. I can set up Apache for any number of domains. Same
    with the ftp server. SSH can be run on different ports so there can
    be 3 running instances...
     
    buck, Mar 15, 2012
    #3
  4. buck a écrit :
    Yes, it is.
    You can also set a reverse HTTP proxy for any number of domains,
    forwarding each domain to a server on a different machine.
    No, FTP servers do not have domains. Unlike HTTP, you cannot connect to
    an FTP server and ask for a specific domain. You cannot run several
    servers listening on the same port and address either.
    You can also forward three different ports to three different SSH servers.

    As I wrote, the problem is the same.
     
    Pascal Hambourg, Mar 15, 2012
    #4
  5. buck

    Chris Davies Guest

    1. You can use apache on your slackware box to proxy HTTP (tcp/80)
    requests targetted at different domains but the same IP address to
    different appropriate web servers. Look up virtual hosts and the
    NameVirtualHost directive.

    1b. You cannot run two or more domains requiring HTTPS on the same
    external IP address.

    2. You cannot have two different FTP servers on the same single external
    IP address.

    3. You cannot have two different Rsync servers on the same single
    IP address.

    4. You cannot have two different SSH servers on the same single IP
    address.

    Actually, you can do 1b, 2, 3, and 4 if you are prepared to sacrifice use
    of the standard service ports (e.g. you run SSH on port 22 for server X,
    and on port 10022 for server Y, and on port 20022 for server Z). But
    that may not be acceptable.

    Hope this helps,
    Chris
     
    Chris Davies, Mar 15, 2012
    #5
  6. Chris Davies a écrit :
    Actually this is possible with a certificate which covers multiple
    names, or if both the client and the server support the SNI (Server Name
    Indication) TLS/SSL extension.
    See <http://en.wikipedia.org/wiki/Server_Name_Indication>
     
    Pascal Hambourg, Mar 15, 2012
    #6
  7. buck

    Tauno Voipio Guest


    Also, FTP is a PITA for any address translation, as it uses two ports,
    and the NAT box has to know that both need to be translated. It is
    pretty sure that FTP on a non-standard port does not pass NAT handling.
     
    Tauno Voipio, Mar 16, 2012
    #7
  8. buck

    Chris Davies Guest

    Agreed in principle, but I've had nothing but problems in the real world
    with this kind of scenario.

    Chris
     
    Chris Davies, Mar 16, 2012
    #8
  9. buck

    buck Guest

    Perhaps you should check out ncftp, because it certainly can and does
    handle multiple domains. Right now it is serving domains A and C.
     
    buck, Mar 16, 2012
    #9
  10. buck

    buck Guest

    Regardless, the answer to my question is an emphatic NO, for the reason
    Pascal gave in the first reply to this thread. By the time when the
    domain is known, it is too late to NAT it.
     
    buck, Mar 16, 2012
    #10
  11. buck

    Chris Davies Guest

    This from the NcFTP FAQ (http://www.ncftp.com/ncftpd/doc/faq/func.html):

    Is it possible to have 2 virtual hosts with only one IP address?

    No. This is due to a limitation of the FTP protocol. [...]

    So I have to assume that your domains A and C are on separate IP
    addresses, which seems to be outside the scope of your original
    question (you mentioned wanting to run multiple services from a single
    WAN IP address).

    Chris
     
    Chris Davies, Mar 16, 2012
    #11
  12. buck

    unruh Guest

    Or you could have your two servers running on two different ports. Then
    you use the "open" command in ftp to go to the two different ports on
    the same IP address.
    On ncftp you can specify the port directly with the -P option.
    One address, two ftp servers on two ports.
     
    unruh, Mar 16, 2012
    #12
  13. buck

    Chris Davies Guest

    Which is what I suggested about two comments up the thread.
    Chris
     
    Chris Davies, Mar 17, 2012
    #13
  14. buck

    buck Guest

    Chris,
    Please ftp chsoft.biz (domain B) from a command prompt. Login as ftp;
    I use PW "[email protected]", so it'd be nice if you'd use some other short
    password... The login timeout is set very short (30 seconds), so
    don't dick around. Idle timout is 300.

    'ls' should show you a "zip" directory, among others.

    'cd pub' followed by 'ls' should show a "vamsql_fund_data" directory,
    among others.

    If you feel generous, please post a screen shot or 2, which will help
    me test this from outside. I haven't done that yet.

    Here's the deal. Domain C has a WAN IP but domain B has IP
    192.168.223.127. Note that this is exactly what I wanted to
    accomplish for http, rsync and ssh, but (if it works for you), ftp is
    the only service that is actually "on" a separate computer. Also note
    that ncftpd is bound to the WAN IP, but by setting domain.cf to use
    the LAN IP of domain B (~.127), the files on that computer are made
    available.
     
    buck, Mar 17, 2012
    #14
  15. buck

    Chris Davies Guest

    Right. So different FTP services are bound to different IP addresses on
    the same server. This is not what I understood from your original posting.

    You cannot have two (or more) different FTP "domains" bound to the same
    port/IP address combination on the same server. However, if any one of
    those three items is different you can run distinct servers (or
    services). The same is true for any service.

    Chris
     
    Chris Davies, Mar 18, 2012
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.