I am using OpenVZ, although, I have read that Debian isn't going to support it past Squeeze, which means I guess, if one wants to upgrade debian past squeeze, LXC is the answer? Is ISPconfig going to support LXC in the future?
I want to create separate websites, one per OpenVZ container. I want the containers isolated and secure from each other's activities.
I have venet (VE Ethernet) on OpenVZ working great as long as long as my private ip containers are on the same subnet as my host node. From inside the container I can ping anything on the internet and any of my actual physical computers on the same lan can ping in through the host to the containers. However, my experiments to have the host on one subnet and the containers on a different subnet have not worked. I'm missing some command to iptables, I think, concerning dnat...but the commands I have found others using, didn't seem to work out for me.
Trying to make veth (virtual ethernet) work hasn't worked....I'm missing knowledge there, so I am hoping ISPconfig works with venet as I'd like to finally get through all this initial setup and get to doing what I wanted to work with in the first place. I have been stuck here a long time...
Early on, I was advised by someone who runs a OpenVZ set up with lots of containers to accomplish the networking of the containers in the following manner, but this appears to be over my head and I haven't found tutorials that shed the necessary light to know the commands to accomplish this, which is why I was wondering if ISPconfig would provide a easier routing scheme of the network for me that is still secure:
I was told to have the host node's firewall to direct all port 80 & 443 traffic and also all IP traffic to container 101, where a firewall like shorewall exists. This fiirewall maps the port numbers to the containers individual IP addresses and sends all IP traffic directly to their respective containers. As for domain http/s traffic, this firewall directs all of it to container 102 which is setting inside container 101's DMZ. (I have no idea what putting this in the DMZ does for me.) Container 102 contains Apache running in Virtutal Host Mode which then handels all external incoming and internal outgoing domain name based http/s traffic by bi-directionally translating it. It does this by reading the incoming domain names and changes the headers of the incoming communications, which then maps the URL domain names to their assigned port numbers - which are high numbers (unique numbers assigned to each container) by swapping the new port number replacing port 80 in the addressing and then sending the new addressing back to the firewall in Container 101, which recognizes the port number in its mapping of port numbers to IP addresses and immediately sends it to the proper Container. Each container then has it's own apache server listening on it's unique port number for that container. And in this way, I could run many separate websites secure from one another.
I have no notes on the return path. I am assuming it is suppose to simply work in the same reverse path.
Also, this is the first time I have heard the phrase " reverse proxy" applying to what I need to do.
So, will ISPconfig get me past setting up the networking of the containers and the firewalling I need to do in this area so that I can skip the above use of Container 101's firewall and Container 102's apache processing that I described above?
And also, can you point me at the basic knowledge or application that I am going to need
to create the firewalls with each container when I finally get that far??? I notice that ISPconfig uses Bastile Firewall....what do I need to know to use it?
Thanks for your thoughts on plotting a course for me at my level!