Hello,

I'm setting up my 1st Linode VPS.

In addition to serving up the usual web site, I'd like to use it to get rid of my static IP at my office.

Right now, the office has a mail-server running that uses two static IP addresses.

I want to keep that mail-server running on my LAN, but "redirect" it to use two static IP addresses on my Linode instead.

I've been reading up and am pretty sure that if I setup an IPv6 tunnel for my LAN, and the Linode has an IPv6 address too, I can somehow connect the two so traffic between the two flows over the IPv6 networks. IIUC, the IPv6 addresses are by definition 'static' and independent of whether or not my LAN connection to my ISP is a dynamic/IPv4 or not.

So, if that's the right approach, the CONCEPT sounds pretty easy. But I've managed to get terribly lost putting all the pieces together.

There's routes, firewalls, VPNs, tunnels, network scripts, interface settings, etc etc. Getting it all setup properly is more than I can chew right now.

I'd guess some folks @ Linode have done this "whole thing" before.

I'm hoping to get some hand-holding through all the detailed steps, learn once and for all how to do the whole thing RIGHT in the context of a Linode, and end up documenting here for posterity -- for myself and others.

What I've done/have so far is:

@ Linode:

2 static IPv4s
IPv6 enabled
IPv4 & IPv6 firewalls turned on
NO mailserver will run on this box

@ LAN

2 static IPv4s on my edge router/firewall
IPv6 enabled on my edge router/firewall
IPv4 & IPv6 firewalls turned on my edge router/firewall
mailserver running on an an internal-LAN box, with 2 NAT'd IPv4s mapped to/from the 2 static IPs on the edge box

So, my question is -- what's the best/right method for transparently "rewiring" the whole mess so that the mailserver's external/real IPs get moved from the edge box on my LAN, to those on the Linode, and it all stays working after I downgrade from a static IP to a dynamic one on my LAN?

THanks, and here's hoping we get a good "how to" out of this!

JenL

You might want to read through this thread, where I described how this can be done with an ssh tunnel. In your case with multiple IPs, you could use something like the following to forward port 25.

ssh -R 'your.first.linode.ip:25:your.first.home.ip:25' -R 'your.second.linode.ip:25:your.second.home.ip:25' root@your.linodes.name

If you wish to do more fancy stuff than just forward a couple ports, you're probably looking at doing something with OpenVPN.

I'm not very familiar with IPv6, but you should check with your ISP as to whether they give a static allocation, or whether it could change on disconnect/reconnect. I'm not aware of a guarantee in the standards that it will be static (but I could very well be wrong).

@Vance

Not sure my lingo is up to snuff, but ...

Does your suggestion actually "attach" the Public-on-the-linode & Private-on-the-LAN IP/interfaces, without any further need for NAT, routing etc?

I guess another way to ask, will mail sent from the LAN server automatically appear to be sent from the real-IP on the Linode, and will mail sent TO the MX @ real-IP make it to the mailserver?

As for the IPv6 address, my IPv6 is static, allocated via a tunnel provider, atm. Someday it'll be directly from the provider.

What I did was create an openvpn connection from my home machine to my linode. Let's say it has IP address 10.20.30.40 (home) and 10.20.30.50 (linode). Now my home machine runs an MTA as normal, and uses 10.20.30.50 as a smart host so all outgoing mail goes via linode. The linode is the MX for my mail and rewrites incoming mail to go to home. I use a table of users I want to forward mail for, so that mail for an invalid user does not make it home and then bounce; I just refuse to accept it on linode. Stops you doing spam backscatter.

If you have IPv6 (whether tunnel or ISP provided) then you can do the same thing over IPv6 and not need the OpenVPN tunnel.

linode rules are simple for postfix. I added a transport map entry
home.MYDOMAIN smtp:my_home_machine

In main.cf I added
virtual_maps = hash:/etc/postfix/MYDOMAIN

And now in MYDOMAIN I can do lines such as
user@MYDOMAIN user@home.MYDOMAIN

Remember to allow "home" to relay via postfix. Remember to set your home machine to accept mail addressed to user@home.MYDOMAIN and send out mail with user@MYDOMAIN.

I think that's pretty much it.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

With the ssh tunnel suggestion, people wanting to send mail to you would connect to the Linode's IP address. This traffic would be forwarded over the tunnel to your home IP. From an outside sender's perspective, they would be talking to your Linode (one endpoint of the tunnel). From your mailserver's perspective, it would be talking to the local machine (the other endpoint of the tunnel).

The tunnel operates only in one direction. Mail leaving your home mailserver would go directly from your home IP to the destination IP. This could be a problem if your ISP blocks connections to port 25 (many do). One solution would be to route outgoing mail through your ISP's mailserver. I'm not aware of a simple way to set up an ssh tunnel to handle the outbound situation.

Hope this makes things a little clearer.