topic Re: 2 IPs and binding services to one in Operating System - Linux

2 IPs and binding services to one

Jano_1 — Thu, 01 Apr 2004 09:01:29 GMT

Hello,

I have two IPs configured on one physical interface. I want to bind specific services to a specific IP address, eg.
-SENDMAIL, NAMED, APACHE must use 10.10.10.4/24
-SQUID must use 10.10.10.8/24

I have a PPP link to one service provider where my domain is registered, and an ADSL link to another provider that is only used for surfing.
The problem is that NAMED and SENDMAIL are sending packets with source address 10.10.10.8 and not 10.10.10.4.

How do I configure these services to use 10.10.10.4?

Regards,
Jano

Re: 2 IPs and binding services to one

Alexander Chuzhoy — Thu, 01 Apr 2004 09:25:24 GMT

You can add a route rule to send traffice to a certain net/host via some interface (eth0/eth1 etc)

Re: 2 IPs and binding services to one

Jano_1 — Thu, 01 Apr 2004 09:28:37 GMT

Hi,
I would prefer to change the configuration files than to add routes.
Jano

Re: 2 IPs and binding services to one

Alexander Chuzhoy — Thu, 01 Apr 2004 09:47:56 GMT

Configuration files include definition to Listen on cpecific IP. To send by protocol from specific Ip you can define rules in iptables.

Re: 2 IPs and binding services to one

Peeyush — Thu, 01 Apr 2004 10:47:32 GMT

Jano,

- in squid.conf
http_port 10.10.10.8:8080
where 8080 is port

- in httpd.conf
Listen 10.10.10.4:80
#remember to use

- in sendmail.cf
# SMTP daemon options
O DaemonPortOptions=Port=smtp,Addr=10.10.10.4, Name=MTA

Iam 100% sure about squid and apache but u have to try it for sendmail....

Alternative
- block port of their service on ip which u dont need..

Regards,
Peeyush
http://geocities.com/peeyush_maurya/

Re: 2 IPs and binding services to one

Alexander Chuzhoy — Thu, 01 Apr 2004 10:54:14 GMT

All these (including sendmail) are correct if you want to configure the service to listen on address but not to use one as permanent source

Re: 2 IPs and binding services to one

Jano_1 — Thu, 01 Apr 2004 11:15:40 GMT

Hi All,

I did change my sendmail file to include the DaemonOptions as described by Peeyush. It does look as though my server is not sending anymore with source 10.10.10.8 but with 10.10.10.4. I'm using ethereal on the server in question to verify this and so far it looks ok.

Now it is on to NAMED. Maybe SQUID, APACHE and SENDMAIL are highly configurable, but I don't know if NAMED supports this type of configuration. If not I will have no other option but to install, enable and configure IPTABLES.

Alexander, can you maybe give me an example of how to do this for UDP and TCP port 53?

Jano

Re: 2 IPs and binding services to one

Alexander Chuzhoy — Thu, 01 Apr 2004 11:36:53 GMT

If the Listen configuration works for those services then you can also try it with DNS.

inside /etc/named.conf under option add a line
listen-on port 53 {x.x.x.x;};

Re: 2 IPs and binding services to one

Jano_1 — Thu, 01 Apr 2004 12:20:29 GMT

Alexander it doesn't work with NAMED.

A quick question on the sideline. My named.conf is configured to "allow-transfer" to secondary DNS servers of my service provider, let's say 1.1.1.1 and 1.1.1.2. When I restart NAMED I see that NAMED does the transfer to 1.1.1.1 and I receive a positive response from 1.1.1.1.

But then I see it also tries to do a transfer to the two DNS servers configured in my resolv.conf file. This is strange behaviour and doesn't make sense. Can I stop this transfer to the servers in resolv.conf?

Jano

Re: 2 IPs and binding services to one

Alexander Chuzhoy — Thu, 01 Apr 2004 12:34:59 GMT

The transfer is allowed only to the addresses specified in allow-transfer {x.x.x.x;};

You said that you check the traffic with ethereal.
be sure that the traffic sent to the second (not specified under allow-transfer) host is
tcp.
The transfer goes with tcp protocol.
But queries are done with UDP protocol.
Both use the port 53.

Re: 2 IPs and binding services to one

Stuart Browne — Thu, 01 Apr 2004 23:01:33 GMT

Basically what you're saying is you want your mail, dns, and http traffic to go in/out one interface (the ppp), and everybody's local surfing to go out the other (the adsl), yes?

This is where life starts getting fun.. ..

The tools to help you are provided with every modern Linux distribution:

ip
iptables

These two tools allow you to do some seriously powerful things!

We do a similar thing here incidentally.. Anyway, some nasty stuff.

(NOTE: The Advanced Routing Howto is your friend here. Never leave home without it! (so to speak)).

Basically what you need to do is create multiple routing tables, with filtered routing for given streams of traffic.

You want things which originate from the box with a given destination (port) to be sourced on a given IP, and thus routed out the appropriate interafce.

This is called "Source Routing".

In the details you've given us, you've given two IP's on the same subnet. That makes life extremely difficult. Did you mask these addresses out ? If so, please confirm that the two interfaces are actually on different subnets, and have different paths out of your system.

Post back, and I'll give some details on how to do what you're after.

Re: 2 IPs and binding services to one

Jano_1 — Fri, 02 Apr 2004 08:02:53 GMT

Hi Stuart,

What you described is accurate in what I want to do. However the bad news may be that my server has two IPs on the same subnet.

Yesterday I made some small configuration changes to my SENDMAIL and NAMED, i.e. for them to listen on the 10.10.10.4 address. I have been sniffing with ethereal and so far it looks as though the change was successful.

As noted earlier I prefer not to follow the IPTABLES path. I have a router and would like it to do the policy based routing based on the source IP addresses.

Regards,
Jano

Re: 2 IPs and binding services to one

Peeyush — Fri, 02 Apr 2004 15:52:32 GMT

Can named(8) bind(2) to a particular IP address?
http://www.acmebw.com/askmrdns/archive.php?category=83&question=50

http://www.freebsd.org/cgi/man.cgi?query=named.conf&sektion=5

Go to the following :

THE OPTIONS STATEMENT
[ listen-on [ port ip_port ] { address_match_list }; ]
---------
blackhole
Specifies a list of addresses that the server will not accept queries
from or use to resolve a query. Queries from these addresses will
not be responded to.
Interfaces
The interfaces and ports that the server will answer queries from may be
specified using the listen-on option. listen-on takes an optional port,
and an address match list. The server will listen on all interfaces
allowed by the address match list. If a port is not specified, port 53
will be used.

Multiple listen-on statements are allowed. For example,

listen-on { 5.6.7.8; };
listen-on port 1234 { !1.2.3.4; 1.2/16; };

will enable the nameserver on port 53 for the IP address 5.6.7.8, and on
port 1234 of an address on the machine in net 1.2 that is not 1.2.3.4.

If no listen-on is specified, the server will listen on port 53 on all
interfaces.
--------------------
Hope it helps

Regards,
Peeyush
http://geocities.com/peeyush_maurya/

Re: 2 IPs and binding services to one

Mark Travis — Fri, 02 Apr 2004 18:34:41 GMT

AFAIK you can't tell sendmail how to source IPs. So if sendmail happens to be sending through the IP that you want it to then congratulations.

There's only one mail package I know of that does this and that's Imail from IPSwitch.

On a somewhat related note sort of, if anybody knows of a way to force sendmail (or any other free MTA) to bind outgoing message based on domain to a particular source IP then please let me know!

Re: 2 IPs and binding services to one

U.SivaKumar_2 — Tue, 06 Apr 2004 06:13:51 GMT

Hi,

edit named.conf and in options section.

listen-on { 10.10.10.4; };
query-source address 10.10.10.4 port 53;

restart named.

regards,

U.SivaKumar.