Well, my little web server is finally facing the public. But I wanted to keep my internal network the same, so this is how I did it.
First off the router was on the 192.168.1 network, and all my servers were on the 169.254.218 network connected via an ethernet switch so I had no need of routing paths for those to communicate until this time. So I decided to alias an address on each interface. And of course the router got plugged into the switch so as well as every machine being able to connect to the internet through the switch to the router using aliases they could still chat through the same switch to themselves on the internal network.
In my normal backward manner, I made the primary address of the ethn interfaces in the 192.168.1 network and aliased my internal network address. The reason for doing it that way was to ensure the default path for every server went out the router by default, after all I wanted them all to have internet access even if I broke the internal network.
The firewall rules for the 192.168.1 network were setup to allow communication to be set up for outgoing traffic only, no incoming connections were allowed on that network with the exception of one single server that accepted connections on port 80 and 443 (this one).
The firewall rules for the 169.254.218 network could then be a lot more flexable and I allow ssh and some of my home grown applications (job scheduler remote control, alert forwarding etc) through on that network without.
Then I aliased the origional addresses of my 169.254.218 network onto the ethn card as ethn:0 interfaces. Really simple to do…
cd /etc/sysconfig/network-scripts
cp -p ifcfg-eth0 ifcfg-eth0:0
vi ifcfg-eth0:0
– update the device to be eth0:0 (or :0 to whatever you had)
– remove hardware address stuff
– set new ipaddr, network and netmask
/etc/init.d/network restart
One hiccup, the default route as I notes above was to go via my router, which is no good for the internal addresses as the router wont find those ones. So I also added to /etc/rc3.d/S99local commands to set explicit routes to my internal servers, two examples are below
route add 169.254.218.183 eth0:0
route add 169.254.218.186 eth0:0
And thats it,
The differences on one of my working servers are
ifcfg-eth0
———-
DEVICE=eth0
BOOTPROTO=static
DHCPCLASS=
HWADDR=00:04:23:13:CE:85
IPADDR=192.168.1.182
IPV6INIT=yes
IPV6_AUTOCONF=yes
NETMASK=255.255.0.0
ONBOOT=yes
ifcfg-eth0:0
————
DEVICE=eth0:0
BOOTPROTO=none
BROADCAST=169.254.255.255
IPADDR=169.254.218.182
NETMASK=255.255.0.0
NETWORK=169.254.0.0
TYPE=Ethernet
And there we have it. Two fully working networks off a single interface card.
[root@osprey ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:04:23:13:CE:85
inet addr:192.168.1.182 Bcast:192.168.255.255 Mask:255.255.0.0
inet6 addr: fe80::204:23ff:fe13:ce85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9581 errors:0 dropped:0 overruns:0 frame:0
TX packets:6162 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12360913 (11.7 MiB) TX bytes:833470 (813.9 KiB)
[root@osprey ~]# ifconfig eth0:0
eth0:0 Link encap:Ethernet HWaddr 00:04:23:13:CE:85
inet addr:169.254.218.182 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
[root@osprey ~]# netstat -r
Destination Gateway Genmask Flags MSS Window irtt Iface
169.254.218.183 * 255.255.255.255 UH 0 0 0 eth0
169.254.218.186 * 255.255.255.255 UH 0 0 0 eth0
link-local * 255.255.0.0 U 0 0 0 eth0
link-local * 255.255.0.0 U 0 0 0 eth0
192.168.0.0 * 255.255.0.0 U 0 0 0 eth0
default RTA1025W.home 0.0.0.0 UG 0 0 0 eth0
[root@osprey ~]#
Some people would say that ethernet cards are cheap, just plug in another one for the internal network.
Jolly good idea apart from the fact I couldn’t be bothered opening each server, some have no spare slots, I would then need a seperate switch for the internal network (yes I do have spare switches lying around, don’t we all; I don’t have the spare power points for them though; I found the limit to multibox on multibox when I plugged in a new toy and two servers turned off). This way just made more sense to me.
