Setup private networking between 2 Linodes
I would like to setup a private network between 2 Linodes. Can this be done?
3 Replies
As long as the 2 Linodes are in the same datacenter, this can be done but remember that you cannot create a network that is private to only those 2 Linodes. The private network is accessible to the entire datacenter. That said, if you configure your firewalls correctly you can make it so that communication can only happen between the 2 Linodes. You can create iptables rules to make this happen. To only accept incoming connections from a specific address, you can use a ruleset such as:
sudo iptables --policy INPUT DROP
sudo iptables -A INPUT -s <source.ip> --sport <port> -j ACCEPT
If you only want the two servers to be able to send outgoing connections between each other, you could use a ruleset like:
sudo iptables --policy OUTPUT DROP
sudo iptables -A OUTPUT -d <destination.ip> --dport <port number> -j ACCEPT
You can leave out the '--sport <port>'
and '--dport <port>'
parts if you're not configuring a rule for a specific port or service. If you are, make sure to account for connection states, as well as properly identifying TCP vs UDP protocols, where applicable. For example, to serve a webpage, but not allow browsing from your server:
sudo iptables -p tcp -A INPUT -s <source.ip> --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -p tcp -A OUTPUT -d <destination.ip> --dport 80 -m state --state ESTABLISHED -j ACCEPT
If you did want to allow browsing for any reason (like to allow the use of 'curl' or anything else that uses port 80 for outgoing connections originating from within your server), you would simply change 'ESTABLISHED' in the second rule to 'NEW,ESTABLISHED'.
I have included our guide on iptables, which also discusses how to make your rules stay persistent through a reboot, for your reference.
If you are using CentOS 7 or above, I have included our guide on FirewallD, since this is the tool used to configure iptables rules on the newer versions of that particular distribution.
hope to see the account VLAN feature soon, trying to stall my guys who are pushing to switch to DO for this feature.