Myatu
02-09-2009, 14:27
Originally Posted by Nuend0
If you would like to keep your virtual server (Windows, etc) on its own private IP address, you do this as following:
You first need to setup the failover IP address on the host node (Proxmox). It's explained at http://help.ovh.co.uk/IpAlias but I'll repeat the relevant things here...
Once you have opened up the file /etc/network/interfaces in your editor, you will quickly notice how the network settings are in "sections". Ie,:
Code:
auto eth0 iface eth0 inet static address 91.11.22.33 ... and more ...
Code:
auto eth0:0 iface eth0:0 inet static
Code:
auto eth0:1 iface eth0:1 inet static
Code:
addressnetmask 255.255.255.255
Here's what the completed "section" looks like:
Code:
auto eth0:0 iface eth0:0 inet static address 91.11.22.44 netmask 255.255.255.255
Code:
/etc/init.d/networking restart
Going back to the guide, refer to the "Incoming Internet Traffic" section. Let's say your Windows virtual server was assigned the private IP 10.0.0.1 and it runs a web server on port 80, and the failover IP to be used is 91.11.22.44 (as in the above example).
You need to add this to the firewall/router rules. To do this, edit "/etc/shorewall/rules" and add the following line *before* the comment "# LAST LINE -- DO NOT REMOVE":
Code:
DNAT net dmz:10.0.0.1 tcp 80 - 91.11.22.44
Code:
shorewall restart
Now, Windows need to be configured to actually use this private IP address of 10.0.0.1. If it picks up an IP and/or gateway automatically, then DHCP might have been enabled somewhere. The guide does work with DHCP (I'm using that) but explaining that takes a leap of faith if you're note familiar with Linux So let's stick to basics:
Refer to the "Microsoft Windows" section in the guide. It already gives you pointers on what needs to be changed. In effect, your main "Local Area Connection" needs to be manually assigned the IP address of 10.0.0.1 (for this example), the gateway needs to be 10.254.254.254 (if following the guide to the letter) and the subnet mask needs to be 255.0.0.0. For the DNS servers, you can specify any you'd like, ie., the OpenDNS servers, your own or those of OVH.
The only thing left standing at this point is to allow Windows to talk outward - so far we've only set it up for incoming traffic to port 80 in this example.
Because 10.x.x.x doesn't mean anything to the outside world (it really is a private IP address), Shorewall and Linux need to do a lot of magic tricks. Lucky for you, it only involves adding one line to the file "/etc/shorewall/masq":
Code:
eth0 10.0.0.0/8
Code:
shorewall restart
Now what if you don't want to give it a private IP address? You say "I just want to use a failover IP address directly in Windows, clear and simple!"
In this case, skip the part of adding the failover IP address to the host node (Proxmox). For example, if you previously added a "section" like ...
Code:
auto eth0:0 iface eth0:0 inet static address 91.11.22.44 netmask 255.255.255.255
Now scroll up a bit where I explained about assigning it the IP 10.0.0.1 in Windows. Instead, you use the IP address of 94.11.22.44 (or whatever your *real* failover IP is), as the subnet you use 255.255.255.255 and as the gateway you use the same assigned by OVH.
Outgoing traffic is taken care of automatically, so you can skip the part of editing "/etc/shorewall/masq" (it doesn't need it -- although any other virtual servers you have configured might (!!!) ).
As for incoming traffic, the firewall still applies the rules (and so, it will not let anything in by default). The rules are also a bit different; notice how "DNAT" was used earlier in this example. You need to use "ACCEPT" instead. Here's that same rule for a virtual server with a failover IP directly assigned:
Code:
ACCEPT net dmz:91.11.22.44 tcp 80
See, like a walk in the park! J/k - if you need some more help, feel free to contact me...