From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Thu 11 Mar 2004 - 14:36:17 GMT
On Thu, Mar 11, 2004 at 08:41:09AM -0500, Chris Besignano wrote:
> I need to run a few different websites on my box using vservers. What
> method does everyone use to route the traffic from eth1 (externel
> interface, real ip) to the vservers bound to eth0 (internal ip,
> 192.168.x.x network)?
there is no way to _route_ traffic from eth1 to an
ip bound to eth0, what you want is to nat the
incomming connections to yield valid for the local
ips, for example:
iptables -t nat -A PREROUTING --dst <ext-ip> -p tcp --dport 80
-j DNAT --to 192.168.0.1
keep in mind, that you cannot access different web
servers (running on different hosts/vservers) through
one external ip/port unless you use a smart proxy,
which knows how to read and forward the HTTP requests
if you want to reach the internet from a local ip
range, then you do similar on outgoing traffic:
iptables -t nat -A POSTROUTING --src 192.168.0.1
-j SNAT --to <ext-ip>
> Darryl Ross wrote:
> >Dariush Pietrzak wrote:
> >>>services in the host to ONLY bind the host's IP address, instead of all
that is what the v_* sysv scripts are for
(limiting _host_ services to just some ips)
> >> Not true.
> >>The whole point of vservers networking is that you can give some ip
> >>to thw
> >>whole server, and then when services inside bind to '0.0.0.0' they
> >>get anlo
> >>what was allocated for given vserver.
> >> If what you say was true, there wouldn't be much difference between
> >>vserver setup and chrooted services.
> >Did you read what he said??
> >As per your quote above, emphasis is mine:
> >> services in the __host__ to ONLY bind the __host's__ IP address
> >which is exactly what you want to do. If you need to run a service in
> >the host, as well as inside the vservers (eg, ssh), you need to tell
> >the host sshd to only bind to the main IP, not the IP addresses of all
> >the vservers.
Vserver mailing list