I have a server that I need to 'build' to replace two other boxes that are having issues currently, but I'm having trouble figuring out how to set up the new box that's running Virtualmin to work with multiple IP addresses.
The two old boxes are as follows: Mail server on private IP 192.168.0.210 it only handles mail and SSH, has three shell users. Web server that holds multiple websites using private IPs .211 to .216, with each website configured to answer to a specific IP. This box handles web, ssh, and ftp services for each site.
The two old boxes have been configured with Webmin and the web site box uses virtual ethernet interfaces to enable the extra IP addresses. When looking at the Network Configuration page for those interfaces I see (Virtual) beside them. I personally created these virtual interfaces and then set Apache to answer on each one, but all of the addresses (or domain names) will work for ssh and ftp.
The new box I am configuring needs to be configured with all public IPs (moving them outside the firewall to determine if firewall has issue), and I'd like to configure all of the public IPs for the sites and mail server to this new Virtualmin box.
I would like to configure this new box with IP A as the main one I use to access it for example.
I need for it to receive incoming mail from the outside world at IP B for the domains on the box.
I need for it to answer to IP C and automatically load web site 1
I need for it to answer to IP D and automatically load web site 2
I need for it to answer to IP E and automatically load web site 3
I need for it to answer to IP F and automatically load web site 4
I need for it to answer to IP G and automatically load web site 5
I need for it to answer to IP H and automatically load web site 6
I want to get the box working as smoothly as possible so I can transfer the web site data to the new box once it is configured and put it in place of the old boxes.
What is the proper way to configure the interfaces and get Virtualmin to handle things properly?
If possible I'd like to configure the box to handle the IPs this way:
IP A will give me full administrative access to the box (Virtualmin, Webmin, Usermin, ssh, ftp) I am fine with accessing the server via IP address:10000 for Virtualmin.
IP B will handle mail ONLY (no ssh at this IP if possible) for the domains (virtual servers) installed on the box.
IP C will handle www and ftp for web site 1 ONLY. No ssh for sure, and I'd like to remove Virtualmin, Webmin and Usermin access from this IP.
IPs D, E, F, G, H all configured for their respective sites like C.
Essentially I'd like to limit ssh, Virtualmin, etc to IP A, and the other IPs on the box only do their respective jobs.
I am probably over-complicating my explanation. It sounds simple enough in my head. Almost like I would create all of the IPs using Virtualmin and then use Firewall rules to limit traffic to all the IPs, but I am looking for advice to get it configured properly.
This box will end up 'on-site' for a client.
I personally have a dedicated hosting server that is running Virtualmin and I have been unable to determine how that hosting company configured the additional IPs on the box that some of the sites use. I know that it was not done exactly the same way I did it in Webmin on the old boxes so I want to make sure I get this right.
Any advice?
Howdy,
Well, what you're describing almost sounds like you're interested in the sort of separation a VPS provides, or that of having multiple servers.
When you run a single Virtualmin system -- it's common to have multiple IP addresses on it, and the services running on your server would typically be listening and available on all the IP's.
Could you configure some services to just listen on certain IPs? Sure! But there's not really a benefit in doing so.
That is, you could setup SSH so that it doesn't listen on IP 'B' -- but that doesn't prevent someone from simply connecting to SSH via IP address 'A'. And when you add a user to your system -- they can access your system using any of the IPs available on it. Users aren't limited to accessing it on specific IP's.
The degree of separation it sounds like you want is unfortunately not possible when using a single server. And while it's possible to configure some services to only listen on certain IP addresses -- that's not really improving your security, since that same service is available on the other IP addresses. I think it's just making for a more complicated setup :-)
But, if you really wish to do it anyhow -- you can manually configure any daemon running on your system to listen on specific IP addresses, rather than the default of all IP addresses.
-Eric
What is the generally accepted 'proper' way to add new static IPs to a Virtualmin server?
Correct me if I am wrong, but a way for me to get the server to respond to certain services only on certain IPs, I would use IPCHAINS (Linux Firewall), right?
Just tell the firewall to block all SSH, WEB, FTP, SMTP essentially, and only open those ports on the proper IPs as I wish?
That should stop any SSH to any IP other than IP A, and WWW and FTP services to any IP other than desired, etc.
I realize it might make the firewall configuration a little complex, but in my head anyway it works. One of those "in theory" things...
Right now, I'm mainly needing to know what the recommended method for adding additional IPs to a server is, using VIrtualmin, and then configuring those IPs for the individual 'virtual servers' on the box.
What is the generally accepted 'proper' way to add new static IPs to a Virtualmin server?
Most folks use one primary IP address on their server... and then when a new IP address is required for a given Virtual Server, you can go into Server Configuration -> Change IP Address, and give that one Virtual Server it's own IP.
If you aren't trying to associate an IP address with a specific Virtual Server, then you can add an IP by going into Webmin -> Networking -> Network Configuration -> Network Interfaces.
Correct me if I am wrong, but a way for me to get the server to respond to certain services only on certain IPs, I would use IPCHAINS (Linux Firewall), right?
You indeed could use the Linux Firewall to configure that, though you may mean iptables (ipchains was replaced by iptables in 2001).
You have two options for how to do that -- you could use iptables for blocking access to some ports on some IP's, or you could configure the services themselves to only listen on certain IP's.
Personally, I think I'd configure the services to listen to certain IP's. But either solution would work :-)
I still don't think there's a benefit to the complex setup you're after here, but you can certainly do all that :-)
-Eric