Using multiple IP addresses on my Debian-based VPS
I have a VPS instance (running Debian) provided by DynDNS (their Spring Server VPS service), on which I’m running a few services, including a few web sites.
I had some privacy concerns and didn’t want to share the same IP address for all of my sites. It’s very simple to locate other sites running on the same web server IP. Therefore I requested an additional IP address (IPv4) from DynDNS.
DynDNS Support were very forthcoming and I quickly had an extra IP address at my disposal. But where to go from there? Different providers have different ways to go about this. Some assign an extra network interface (virtual NIC device) to the VPS, while others (including DynDNS) simply reserve the IP address to you. In my case, IP aliasing was the way to go (creating a virtual interface – see Debian’s reference documentation on this).
I defined a new virtual interface in /etc/network/interfaces:
auto eth0:0 iface eth0:0 inet static address 184.108.40.206 gateway 220.127.116.11 netmask 255.255.255.0
Then I connected to the VPS through serial console (see springconsole.com) and restarted the network interfaces:
invoke-rc.d networking restart
Then the real work remained – configuration. To get things working the way I wanted, I needed to reconfigure iptables, Apache (httpd), my MTA and more.
I won’t go into too many details when it comes to the iptables configuration, but basically I wanted to restrict some services to only be reachable on a specific IP. Configuring a service to only listen to a certain IP is fine, but it is always good to filter this with iptables. In DynDNS’ Debian VPS template, you have a .conf file available for this – /etc/iptables.conf (and /etc/ip6tables.conf for IPv6). Just to give a simple example of an input accept rule restricted to a specific local IP, here is a line which would cause incoming SMTP connections to only be accepted if 100.100.100.100 was the destination IP:
-A INPUT -p tcp -m tcp -d 100.100.100.100/32 --dport 25 -j ACCEPT
The Apache configuration was the most important one for me. In Debian (up to and including Debian 5.0), the Listen directive and such for Apache2 is placed in /etc/apache2/ports.conf (in Debian 6.0 “apache2″ is renamed to “apache”, so it will likely use /etc/apache). Made some simple changes here. Added explicit IP addresses to the NameVirtualHost directives:
NameVirtualHost 100.100.100.100:80 NameVirtualHost 18.104.22.168:80
That way, I became able to have a separate set of name-based virtual hosts for each IP address.
Next on my list was to ensure that a specific source IP was used for all outgoing SMTP connections. To achieve this in Postfix, one has to edit the master.cf file and add an option for the smtp service:
smtp unix - - - - - smtp -o smtp_bind_address=100.100.100.100
That’s pretty much the gist of it.