On my VPS, I have added an ip alias to my network interface. This new alias is working from the internal zone (for instance in Firefox in the OpenSuse GUI) but I cannot access it from any other computer. The ‘normal’ ip address is accessible from the external zone by the way. The yast2 firewall is setup to allow http and https. Do I need to add some custom rules or something?
When it is all working, I would like to have apache listen on one IP address and nginx on the other.
You choose OTHER VERSION from the drop down menu when you started this thread. I assume that you are talking about an openSUSE version.
The fact that we have that drop down menu should have told you that it is important information that should go with each question/problem. You apparently missed that hint. Please do not hesitate tell us which version you are using.
Yeah, I can make apache listen to a specific IP address. I already have that configured with virtual host files. :good:
The problem is that I cannot access the server at all by using the new IP address. It looks like the firewall is blocking it when you are in the external zone. It is working fine when I access the new IP address from within the internal zone (so directly from the VPS). The only thing I can come up with is the firewall blocking it.
From the SuSEfirewall2 config file, in the section that defines EXTernal interfaces:
# Note: alias interfaces (like eth0:1) are ignored
FW_DEV_EXT=""
If you want an interface (real or virtual) accessible from the outside world, it’s got to be in an EXTernal zone. The easiest way to fix this would be to add a network card (they’re dirt cheap nowadays), give it a second IP address, then assign it to an external zone as well. Just my opinion.
Sorry, I should have said, “to answer your immediate question, it appears that SuSEFirewall doesn’t do virtual IP addresses externally.”
On a VPS, I think you have a few options:
Manually edit the iptables. Not recommended.
If the nginx server has a separate public DNS record, use a virtual server in Apache.
Redirect anything targeted to nginx.
None of the above will be easy. Since you apparently have physical access to the server, seriously, I’d add another network card. (We buy all of our servers now with at least 2, and sometimes 4 or 6).
When you’re deployed in a VPS,
You have to describe and/or identify the VPS you’re using.
Different VPS will expose the server differently to networking which can be an important factor.
Above posts also may be on the right track in that firewall rules may or may not be 'IP alias" aware.
I don’t use that terminology, but if an “IP alias” is the same as simply assigning an additional IP address (typically with a different NetworkID similar to how you described the address belongs to your internal network) to the same network interface, then it’s certain that the firewall rules will block. In other words, an “IP Alias” may be a bit of a misnomer which may be why I don’t hear that term used… An IP isn’t really aliased suggesting a flow and hierarchy that that goes through the original IP address, an added IP address stands on its own equally on the same network interface.
Again, different VPS will offer you different solutions, but the solution smpoole7 suggests is probably one of the first things to look at… Although you’re really talking about a virtual network device and interface, not a physical one. This avoids the possibility of hacking your internal address when it’s assigned to the same network interface configured with your external IP address.
Thank you for your replies! And sorry for my late response. I haven’t been able to work on this problem this last week.
Unfortunately I am not talking about a physical device . Plugging in a new network card would be a great option indeed. But I assume that VPS software should also be capable to add an extra virtual network device?
It took me several hours. The VPS software did not detect my restart. Therefore, my VPS did not really get the extra IP :’( . I had to do a hard shutdown from the VPS console (so not from within openSuSe). When I came back online, everything was working. So the first setup I made in 5 minutes would have worked if my restart was noticed. :sarcastic:
Be careful what IP addresses and virtual networks are associated with any given interface, the rules are the same…
If a public address is assigned to that interface, then only similarly public addresses (and networks) should be assigned to that interface.
No IP addresses and networks for private or dedicated machine to machine use should be exposed on that same interface.
Isolate virtual networks by assigning to different interfaces.
The reason… Any traffic which is on a shared network device (eg network interface) is accessible and can potentially be hacked from another network on that same interface.