Internet Side: Local Network Side: -------------- ------------------- Virtually hosting two Virtually hosting the servers for domains: the two virtually hosted domains: cmex.org www, ftp, mail, cvs, news novatek.co.nz (all virtual hosting off henry) 192.168.0.0 novatek.co.nz Virtual Host 1. (local-net) Name: www.novatek.co.nz First IP Address. | IP: 192.168.0.200 Names: ns1, mail, | +-----------+ Ethernet eth0:0 ftp, www, news | eth0 | | Domain: novatek.co.nz +------+ henry | Virtual Host 2. IP 1: 24.113.94.87 | | | Name: ftp.novatek.co.nz Mask: 255.255.254.0 | +-----------+ IP: 192.168.0.201 Ethernet eth0 | Name: henry Ethernet eth0:1 | Domain: novatek.co.nz Second IP Address | IP: 192.168.0.3 Virtual Host 3. Names: mail, ftp, www | Mask: 255.255.255.0 Name: www.cmex.org cvs, | Ethernet eth0 IP: 192.168.0.202 Domain: cmex.org | Gateway: 192.168.0.254 Ethernet eth0:2 IP 2: 24.113.98.164 | Mask: 255.255.254.0 | Virtual Host 4. Etehrnet eth0:0 (alias) | Name: ftp.cmex.org | IP: 192.168.0.203 Name Servers: | Ethernet eth0:3 ns1.novatek.co.nz | ns1.granitecanyon.com | Virtual Host 5. | Name: mail.novatek.co.nz +-----------+ | IP: 192.168.0.204 eth0 | | eth1 | Ethernet eth0:4 ------+ gateway +-------+ | | | Virtual Host 6. +-----------+ | Name: mail.cmex.org | IP: 192.168.0.205 Local Side: | Ethernet eth0:5 ----------- | Name: gateway | Virtual Host 7. Domain: novatek.co.nz | Name: cvs.cmex.org IP: 192.168.0.254 | IP: 192.168.0.206 Mask: 255.255.255.0 | Ethernet eth0:6 Ethernet eth1 | Gateway: 24.113.94.1 | Virtual Host 8. | Name: news.novatek.co.nz Name Servers: | IP: 192.168.0.207 henry | Ethernet eth0:7 | | +-----------+ | | | |------+ aaaaa | | | | | +-----------+ | . . . . . . . | | +-----------+ | | | |------+ zzzzz | | | | | +-----------+ | | |NOTES:
- Gateway is the firewall and ip masqerading gateway to the local network.
- Gateway provides the master name serving functions for the novatek.co.nz and cmex.org domain names. The root domain servers .co.nz and .org point to 24.113.94.87. On the other hand, because all the servers are behind the firewall on the local network (with the assistance of port forwarding from "gateway's" ip masq function) local hosts need to point directly at the appropriate servers. For this reason, "gateway" does not use its own nameserver but is instructed to use the name server on "henry" - the local network name server. All the other local hosts either use "henry's" nameserver directly, or have their own caching name server with forwarding pointing to henry.
- "henry's" nameserver shadows the local server ip addresses in the local network. This shadowing is not visible from the internet. The reason this is necessary, is that ip_masq does not permit port forwarding through its external interface for packets arriving on the internal interface. If ip_masq permitted this then we could just have the single nameserver on "gateway". All internal traffic to the appropriate firewalled servers could be directed to the external interface (internally in the kernel), before being port forwarded to the appropriate server's local network address. If this was possible, it would also mean that all the internal host ip addresses would be published on the internet, which may or may not be desirable. In my case, not desirable.
- With this nameserving configuration:
- All external (internet) nameserving queries are configured to look at "gateway's" nameserver (24.113.94.87). These nameserving queries will return the appropriate external ip address (24.113.94.87, or 24.113.98.164), depending on the name looked up. The port forwarding function in gateway will direct these requests to the appropriate local server (192.168.0.2xx). See gateway's nameserving and firewalling configurations.
- All internal (local host's) nameserving queries are configured to look at "henry's" nameserver (after their internal nameserving cache - if configured). Henry's nameserving function has the name / ip address lookups for all the local hosts and servers on the local network - both for novatek.co.nz and cmex.org. See "henry's" nameserving configuration. Only if the name does not exist in henry's (or forwarded) cache, will henry go through a name lookup starting with a root server query.
- In the configuration provided below, we could have gotten away with one IP address for virtual serving of mail and http for two different domains, but not for ftp.
- Both henry's and gateway's kernels must be built with ip aliasing.
Henry - 192.168.0.3 +---------------------+ | *.novatek.co.nz | | +---------------+ | | | www (80) | | | +-+ | | | | | 192.168.0.200 | | | | +---------------+ | | | +---------------+ | | | | | ftp (21) | | Local Network | | +-+ | | 192.168.0.0/24| | | | 192.168.0.201 | | *.novatek.co.nz | *.3 | | +---------------+ | +-----+-+ +---------------+ | | | | | mail (25) | | | | +-+ | | | | | | 192.l68.0.204 | | | | | +---------------+ | | | | +---------------+ | Gateway - 192.168.0.254 | | | | news (119) | | +-----------------------+ | | +-+ | | | | | | | | 192.168.0.207 | | | +---------------+ | | | | +---------------+ | | |*.novatek.co.nz| | | | | *.cmex.org | | +-+ +-+ | | | | +---------------+ | | | | 24.113.94.87 | | | | | | | www (80) | | Internet | | +---------------+ | |*.254| | +-+ | | ---------+-+ +-+-----+ | | | 192.168.0.202 | | | | +---------------+ | | | | | +---------------+ | | | | *.cmex.org | | | | | | +---------------+ | | +-+ +-+ | | | | | ftp (21) | | | | 24.113.94.164 | | | | +-+ | | | +---------------+ | | | | | 192.168.0.203 | | | | | | | +---------------+ | +-----------------------+ | | | +---------------+ | | | | | mail (25) | | | | +-+ | | | | | | 192.l68.0.205 | | | | | +---------------+ | | | | +---------------+ | | | | | cvs (2401) | | | | +-+ | | | | | 192.168.0.206 | | | | +---------------+ | | | | | +---------------------+ | | +---------------+ | | hal-9000 | +-----+ | | | 192.168.0.4 | | +---------------+ | - - - - - - - - - - - | +---------------+ | | hercules | +-----+ | | 192.168.0.1 | +---------------+
Last modified: Tue Feb 8 22:00:00 PST 2000
Copyright © Jonathan Marks, 1999, 2000. All rights
reserved.
http:/www.novatek.co.nz/linux/config/topology.html.