- Posted in: Networks
Some years ago I decided to stop using public mail services and decided to buy my own domain and to setup my own mail server at home to handle all of my email. Work was completed very quickly and I got my own working e-mail server and my own mail domain! Some time there was no problems and I was glad to have an opportunity to have full control over my own mail flow.
But little bit later my ISP decided to make my Internet connection cheaper (for them) and they were assigned private IP address to my home Internet connection (192.168.192.2). As you can predict, from that moment my mail server was not reachable from real world and my mail domain was down.
First available solution was to point my MX record to some real mail server in real Internet and to use fetchmail or something like it ti fetch my email to home server. But this solution was not so flexible, and I decided to take one of IP addresses from IP pool of my employer (I am working for hosting company and company owner approved configuration described here) and to assign it to my home server to make my SMTP server available from real world. “It is impossible”, you can say, “You can not set foreign real IP to interface in PRIVATE network of another ISP!”. Yes, it is true, but using some tricks with Linux policy routing an some tunnelling I can do it! This article is about how it has been done by me.
First of all, I selected one IP (RE.AL.AD.DR) in my employer IP network and created ip-over-tcp tunnel from my home server to one of the employer’s servers. It has been done using great UNIX tool vtun by Maxim Krasnyansky. Config files will be presented later in this article.At this step I got following interfaces on world server and home server sides:
- World server side:
#ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.200.0.1 P-t-P:RE.AL.AD.DR Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1450 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:546 (546.0 b) TX bytes:494 (494.0 b)
- Home server side:
#ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:RE.AL.AD.DR P-t-P:10.200.0.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1450 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:494 (494.0 b) TX bytes:546 (546.0 b)
There are two different ip addresses in above quotes:
- RE.AL.AD.DR – real IP address which is being setup on home server side.
- 10.200.0.1 – randomly selected (by me) fake IP address for world server side.
Next, I need to force my home server to send answers to all queries to RE.AL.AD.DR services via tunnel interface. This aim was achieved by using following Linux policy routing configuration commands in tunnel up script:
ip "rule add fwmark 65 table hof"; ip "route add default via 10.220.0.1 dev tun0 table hof"; firewall "-t mangle -A PREROUTING -s RE.AL.AD.DR -j MARK --set-mark 65"; firewall "-t mangle -A OUTPUT -s RE.AL.AD.DR -j MARK --set-mark 65";
These commands are adding new routing table with name hof (for which I need to have specific line in /etc/iproute2/rt_tables file with table name and any selected table id), adding default route to this table via world server’s end of tunnel and marking all packets from RE.AL.AD.DR to be marked for routing via hof routing table.
Last step is to setup world server to arp-announce RE.AL.AD.DR with its MAC-address to ethernet network with default router. I have used farpd utility from debian official repository. With this tiny tool you can arp-announce any IP address to network connected to specific interface by running following command:
/usr/sbin/farpd -i eth0 RE.AL.AD.DR
That is all! At this point I was able to setup any software on my new IP address (RE.AL.AD.DR) and this software were available from the outside world. As for now, I can switch my ISPs any number of times – this is no matter because my IP is always moving with me.
As I promised before, vtun config files are available there for your convenience:
Good luck with your experience with setting up your dedicated “provider-independent” IP addresses!