Create a secure private network between Linodes?
I'm trying to create a setup in which one of my Linodes is exposed to the internet, while the rest of them only communicate with each other via private network. Should I use a VPN for this, or is there a better way?
2 Replies
On 192.168.1.2, add these rules, remembering to substitute the example IP addresses for the addresses that you are actually using:
# default iptables policy - this ruleset will be followed for
# connections that have no associated rule
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD DROP
# allow all communication to and from 192.168.3.4
iptables -A INPUT -s 192.168.3.4 -j ACCEPT
iptables -A OUTPUT -d 192.168.3.4 -j ACCEPT
# similar rules for other servers living
# in the private network go here
# On 192.168.3.4, add these rules, remembering
# to substitute the example IP addresses for
# the addresses that you are actually using:
# default iptables policy - this ruleset will be followed for
# connections that have no associated rule
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD DROP
# allow all communication to and from 192.168.1.2
iptables -A INPUT -s 192.168.1.2 -j ACCEPT
iptables -A OUTPUT -d 192.168.1.2 -j ACCEPT
# similar rules for other servers living
# in the private network go here
If you wish to have more granular control (e.g. if you only wish to allow communication on a specific port), you can use a ruleset like this:
# default iptables policy - this ruleset will be followed for
# connections that have no associated rule
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD DROP
# this rule allows communication between 192.168.1.2 and 192.168.3.4, but only on port 22 (SSH)
iptables -p tcp -A INPUT -s 192.168.1.2 --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -p tcp -A OUTPUT -d 192.168.1.2 --dport 22 -m state --state ESTABLISHED -j ACCEPT
# similar rules for other servers living
# in the private network go here
Be aware that the ruleset above will allow incoming SSH connections, as well as allowing the SSH connection to return information once a connection has been established, but it will not allow a user to run SSH from within the server on which the rule is configured. To allow that, you could alter the second rule to say --state NEW,ESTABLISHED
. The NEW
designation on the outgoing rule is what allows you to start an SSH session from that server to another.
I believe that this will ultimately be the simplest way, but make sure to account for all 7 of your servers when defining your iptables rulesets. Since I can't guarantee that all of the private IPs assigned by our network will be in the same subnet (they are randomly assigned by our system at the time that they are added), it would probably be best to configure rules for each IP, as opposed to configuring rules for an entire range, since this would allow communication from other Linodes in the same datacenter if they are in that range.
*** EDITED IN ORIGINAL ANSWER ***
I'd like to make a slight edit to this - a VPN would not necessarily require users to have the client installed. Since it has a public facing IP address and the server itself is hooked into the VPN, the end result should be a publicly accessible front-end which has access to the VPN, thus eliminating the need for users to install the client software. In light of that fact, either solution would probably be more or less equally effective.