Is it possible to remove the public IP address from a Linode?
Is it possible to remove the public IP address from a Linode?
My goal is to reduce the attack surface of my services.
I suppose there are several ways to access the machine behind the firewall. The use case I'm thinking of is completely isolating a database server from the internet and using another machine on my vlan to access it, sort of as a bastion host. I suppose though that I would need to establish a gateway and have some kind of nat out from the private network to the internet if I ever wanted to update the machine. But then I wonder if maybe just having a properly configured firewall would be sufficient.
Has anyone dealt with this before? What else should I be thinking about?
3 Replies
Huzzah, I answered my own question with a bit more searching: https://www.linode.com/community/questions/17073/create-a-secure-private-network-between-linodes
While that post doesnt explicitly discuss what I was wondering about, it explains that you can remove the public IP address of your Linode and use a private network to communicate. All good!
it explains that you can remove the public IP address of your Linode
Actually, no…what the article demonstrates is blocking all traffic on the public IPv4 addresses. This is very different than removing a Linode's public IP addresses.
use a private network to communicate.
While a private network is available to your Linode, it is NOT secure unless you secure it yourself. The article doesn't explain that part…it only demonstrates how to open your Linode's private IPv4 address to traffic.
You also don't want to forget about IPv6 on the public side.
Are the apps/services that use your database all web-facing? If so, you can restrict the database to only listen and speak to localhost by only opening the database port only to localhost. Traffic to/from localhost cannot escape into the wild (the 127.0.0.0/8 network and the address ::1/128 are specifically allocated for loopback…both are classified as bogons and are not routable…in fact, localhost traffic doesn't even use the public network interface -- it has it's own: /dev/lo).
Even better, if your database allows it, use local-domain sockets (née Unix-domain sockets) for IPC to the database (for MySQL/MariaDB see: https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-unix-socket.html ). The network stack is not involved at all in IPC to/from local-domain sockets (so there's nearly zero latency).
-- sw
P.S. Here is a complete list of bogon (special purpose, un-routable) networks:
https://ipgeolocation.io/resources/bogon.html
You should never, ever allow inbound traffic from any of these on an externally-connected interface! (caveat: the IPv6 Additional Bogon Ranges mentioned are used for tunneling -- a transition mechanism for IPv4/IPv6 intercommunication…mostly unnecessary these days…however, YMMV).
Here's an example of how to block a few of these with iptables:
https://askubuntu.com/questions/868212/easiest-way-to-block-bogon-ip
For IPv6 bogons, you have to set up the rules with ip6tables to block them (when is Linux going to fix this?).