I wonder if any of you had some advice/tutorial/howto regarding public vs. private IP and encryption on Rackspace.
To give you some background: On Rackspace every server has 2 network interfaces. A public (eth0) and a private (eth1). Network over the private interface is free, you get charged for the public one. The assumption is that I have a couple of frontends (app-servers) and backends (MySQL), that talk to each other. However I have a complete list of IPs involved.
Now my idea is to use a combination of iptables DNAT and IPSec/Racoon to reduce cost and enhance privacy at the same time.
First of all one could use iptables DNAT to rewrite the public IP to the internal one. So the application can still use a DNS name (which resolves to the public IP). Under the hood, traffic would get "rewritten" to use the internal (free of cost) IP.
In addition I'd use IPSec+Racoon to encrypt traffic on a IP level. Cheapest solution here is to use a pre-shared key. No X.509 complications. Racoon looks appealing.
Anybody out there, who has some experience in this area? Comments, suggestions, everything is welcome....
> I wonder if any of you had some advice/tutorial/howto regarding public > vs. private IP and encryption on Rackspace.
> To give you some background: > On Rackspace every server has 2 network interfaces. A public (eth0) and > a private (eth1). Network over the private interface is free, you get > charged for the public one. The assumption is that I have a couple of > frontends (app-servers) and backends (MySQL), that talk to each other. > However I have a complete list of IPs involved.
> Now my idea is to use a combination of iptables DNAT and IPSec/Racoon to > reduce cost and enhance privacy at the same time.
> First of all one could use iptables DNAT to rewrite the public IP to the > internal one. So the application can still use a DNS name (which > resolves to the public IP). Under the hood, traffic would get > "rewritten" to use the internal (free of cost) IP.
> In addition I'd use IPSec+Racoon to encrypt traffic on a IP level. > Cheapest solution here is to use a pre-shared key. No X.509 > complications. Racoon looks appealing.
> Anybody out there, who has some experience in this area? Comments, > suggestions, everything is welcome....
so every server has a private and a public IP. DNS names resolve to public IPs. What I'd like to accomplish is to rewrite traffic to use the private IPs using iptables. So the application can continue to use the hostname. And example would be be:*| |* **|iptables -t nat -A PREROUTING -d 8.8.8.8 -j DNAT --to-destination 10.0.0.1|**
This could be combined with IPSec, were I require all traffic to/from 10.0.0.1 to be encrypted. A setkey-example would be:
spdadd $myip 10.0.0.1 any -P in ipsec esp/transport//require;
The question was whether any of you run this in this combination, have some advice, etc. Or if this works at all, right now this is only an idea. When it would work, it would enable the application to use straight dns names. Under the hood (if it works), traffic would be routed via the private IP (=cost saving) and be encrypted.
> i haven't fully understand your problem yet. Which traffic would you > like to send over the private interfaces and which you want to encrypt?
> Thanks and best regards
> Falko
> On 12 April 2012 21:19, Jens Braeuer <braeuer.j...@googlemail.com > <mailto:braeuer.j...@googlemail.com>> wrote:
> Hi everyone,
> I wonder if any of you had some advice/tutorial/howto regarding public > vs. private IP and encryption on Rackspace.
> To give you some background: > On Rackspace every server has 2 network interfaces. A public > (eth0) and > a private (eth1). Network over the private interface is free, you get > charged for the public one. The assumption is that I have a couple of > frontends (app-servers) and backends (MySQL), that talk to each other. > However I have a complete list of IPs involved.
> Now my idea is to use a combination of iptables DNAT and > IPSec/Racoon to > reduce cost and enhance privacy at the same time.
> First of all one could use iptables DNAT to rewrite the public IP > to the > internal one. So the application can still use a DNS name (which > resolves to the public IP). Under the hood, traffic would get > "rewritten" to use the internal (free of cost) IP.
> In addition I'd use IPSec+Racoon to encrypt traffic on a IP level. > Cheapest solution here is to use a pre-shared key. No X.509 > complications. Racoon looks appealing.
> Anybody out there, who has some experience in this area? Comments, > suggestions, everything is welcome....
> so every server has a private and a public IP. DNS names resolve to public IPs. What I'd like to accomplish is to rewrite traffic to use the private IPs using iptables. So the application can continue to use the hostname. And example would be be:
> This could be combined with IPSec, were I require all traffic to/from 10.0.0.1 to be encrypted. A setkey-example would be:
> spdadd $myip 10.0.0.1 any -P in ipsec esp/transport//require;
> The question was whether any of you run this in this combination, have some advice, etc. Or if this works at all, right now this is only an idea. When it would work, it would enable the application to use straight dns names. Under the hood (if it works), traffic would be routed via the private IP (=cost saving) and be encrypted.
> Cheers, > Jens
> On 12.04.2012 22:05, Falko Zurell wrote:
>> Hi Jens,
>> i haven't fully understand your problem yet. Which traffic would you like to send over the private interfaces and which you want to encrypt?
>> Thanks and best regards
>> Falko
>> On 12 April 2012 21:19, Jens Braeuer <braeuer.j...@googlemail.com> wrote: >> Hi everyone,
>> I wonder if any of you had some advice/tutorial/howto regarding public >> vs. private IP and encryption on Rackspace.
>> To give you some background: >> On Rackspace every server has 2 network interfaces. A public (eth0) and >> a private (eth1). Network over the private interface is free, you get >> charged for the public one. The assumption is that I have a couple of >> frontends (app-servers) and backends (MySQL), that talk to each other. >> However I have a complete list of IPs involved.
>> Now my idea is to use a combination of iptables DNAT and IPSec/Racoon to >> reduce cost and enhance privacy at the same time.
>> First of all one could use iptables DNAT to rewrite the public IP to the >> internal one. So the application can still use a DNS name (which >> resolves to the public IP). Under the hood, traffic would get >> "rewritten" to use the internal (free of cost) IP.
>> In addition I'd use IPSec+Racoon to encrypt traffic on a IP level. >> Cheapest solution here is to use a pre-shared key. No X.509 >> complications. Racoon looks appealing.
>> Anybody out there, who has some experience in this area? Comments, >> suggestions, everything is welcome....
I want do avoid running my own DNS, as its one more component to configure, monitor, etc. But entries in /etc/hosts are the somewhat more straight forward. I'll give this a try.
DNSMasq might be of use (it will serve DNS requests which in reads from /etc/hosts, and if it doen't find them there, it forwards to your upstream DNS provider), if you don't want to manage /etc/hosts for all your hosts.
Tim ^,^
On Fri, Apr 13, 2012 at 08:30, Jens Braeuer <braeuer.j...@googlemail.com>wrote:
> I want do avoid running my own DNS, as its one more component to > configure, monitor, etc. But entries in /etc/hosts are the somewhat more > straight forward. I'll give this a try.
> Thanks!
> On 12.04.2012 23:12, Falko Zurell wrote:
> Mmh, what about puppet managed /etc/host entries for the private IPs?
> Seems much easier to achieve. Or run your own DNS with different views > on the zone that would resolve to internal IPs when queried from inside.
> best regards
> Sent from my bicycle
> On 12.04.2012, at 22:30, Jens Braeuer <braeuer.j...@googlemail.com> wrote:
on EC2 – you get a 'public' DNS-name for each instance, but: From the outside this DNS-name resolves to the public IP and from the inside to the private IP. So the best solution (unless you do what you do) is to use that DNS-name and it will automatically take the shortest route.
On Thursday, April 12, 2012 at 9:19 PM, Jens Braeuer wrote: > Hi everyone,
> I wonder if any of you had some advice/tutorial/howto regarding public > vs. private IP and encryption on Rackspace.
> To give you some background: > On Rackspace every server has 2 network interfaces. A public (eth0) and > a private (eth1). Network over the private interface is free, you get > charged for the public one. The assumption is that I have a couple of > frontends (app-servers) and backends (MySQL), that talk to each other. > However I have a complete list of IPs involved.
> Now my idea is to use a combination of iptables DNAT and IPSec/Racoon to > reduce cost and enhance privacy at the same time.
> First of all one could use iptables DNAT to rewrite the public IP to the > internal one. So the application can still use a DNS name (which > resolves to the public IP). Under the hood, traffic would get > "rewritten" to use the internal (free of cost) IP.
> In addition I'd use IPSec+Racoon to encrypt traffic on a IP level. > Cheapest solution here is to use a pre-shared key. No X.509 > complications. Racoon looks appealing.
> Anybody out there, who has some experience in this area? Comments, > suggestions, everything is welcome....
> on EC2 – you get a 'public' DNS-name for each instance, but: From the > outside this DNS-name resolves to the public IP and from the inside to > the private IP. So the best solution (unless you do what you do) is to > use that DNS-name and it will automatically take the shortest route.
> Is there no equivalent on Rackspace?
> Till
> On Thursday, April 12, 2012 at 9:19 PM, Jens Braeuer wrote:
>> Hi everyone,
>> I wonder if any of you had some advice/tutorial/howto regarding public >> vs. private IP and encryption on Rackspace.
>> To give you some background: >> On Rackspace every server has 2 network interfaces. A public (eth0) and >> a private (eth1). Network over the private interface is free, you get >> charged for the public one. The assumption is that I have a couple of >> frontends (app-servers) and backends (MySQL), that talk to each other. >> However I have a complete list of IPs involved.
>> Now my idea is to use a combination of iptables DNAT and IPSec/Racoon to >> reduce cost and enhance privacy at the same time.
>> First of all one could use iptables DNAT to rewrite the public IP to the >> internal one. So the application can still use a DNS name (which >> resolves to the public IP). Under the hood, traffic would get >> "rewritten" to use the internal (free of cost) IP.
>> In addition I'd use IPSec+Racoon to encrypt traffic on a IP level. >> Cheapest solution here is to use a pre-shared key. No X.509 >> complications. Racoon looks appealing.
>> Anybody out there, who has some experience in this area? Comments, >> suggestions, everything is welcome....
