# Routing traffic to three identical virtual machines

## sirlark

Hi all,

I'm developing a system which combines a PostgreSQL/Apache/PHP stack with an SFTP server. I'm deploying it in a virtual machine, and would like to have two additional virtual machines on the same physical server. The three virtual machines are for production, testing and training respectively. Also the physical server is running mediawiki, bugzilla and a couple of other LAMP stack odds and ends.

I am using virtualbox OSE and the three virtual machines will be running headless, i.e. my only access will be via SSH. Also the server is sitting in a lab at my university, and the university IP let my machine take multiple IP addresses, meaning I can't use iptables to route traffic to the appropriate VM based on ip address. I don't want to use different port numbers for the same service on the different virtual machines, as the entire point of them is to be identical.

Someone suggested using apache's mod_proxy on the physical server to route via domain name, but can this route SSH traffic? What about SFTP. HTTPS seems to be no problem.

Thanks.

----------

## BradN

Unfortunately there has to be some way to distinguish which machine the traffic is for.  When an incoming connection comes for, say, port 22(ssh), which virtual machine (or the host) gets it?

I wonder if it's possible to set up something like this with port knocking to select alternate machines.

Say, normally when a connection comes in, it's for your production VM.  But if you first ping (tcping for example, real ping doesn't use ports) or try to connect to a special port (one port for each endpoint), your client machine is flagged as wanting to connect to a certain VM or the host.  This can last either for a long time-out, or until you ping a different port to reset it.

I don't have specifics on setting this up, but it sounds like it might be the closest thing to what you're looking for, since the selection mechanism doesn't need to be performed by the real client program (just another program running on the client).  You just run one command and all further actions automatically go to the VM you want.

A drawback may be difficulty in communicating between VM's (unlikely that you want to) or between the host and VM's, but this all depends on how it's set up.

Here's an overview of port knocking with some links, but beware this is a slightly different purpose than it's normally used for - so you will see them using it for access control rather than access selection:  http://en.wikipedia.org/wiki/Port_knocking

----------

## Anarcho

 *Quote:*   

> and the university IP let my machine take multiple IP addresses, meaning I can't use iptables to route traffic to the appropriate VM based on ip address.

 

That's the point what I don't understand. If you already have multiple IP addresses, why don't you use them? Just use bridge networking for the VMs and assign each one of the public IP addresses. In doing that, there is no need for iptables.

----------

## BradN

I think he miswrote trying to say that they don't give separate IP addresses.

----------

## sirlark

If I were to use mod_proxy to run a reverse proxy on the host, then wouldn't the requested domain name be the distinguishing factor. I could set up the DNS records so all three domains point to the same IP address. As far as communicating between VMs I don't need to do that, and the host/VM communications are working fine already.

My question is really whether mod_proxy will work for SSH and SFTP, because it strikes me this would be the equivalent of a man-in-the-middle attack? Also I still have very little idea how to go about setting this up, and the apache docs are a little obscure.

----------

## Anarcho

Of course mod_proxy won't work for SSH.

But what about my question, how many IP addresses do you have?

----------

## sirlark

sorry, typo there. To clarify: I can't get the additional IP addresses

----------

## Anarcho

Then it looks like the only way would be mod_proxy for HTTP traffic and different ports for SSH or routing based on the source IP address.

SSH and iptables have no clue about the used DNS names.

----------

