IPTables and IP Aliasing
6 Replies
@TehDan:
without you giving details of your firewall setup, its hard to say. In general you should simply be able to filter by the destination (-d) / source (-s) addresses?
It's a pretty basic setup, the previous setup I had eth0 configured with my public IP, eht1 was my private. I've got my mysql server on my private network and my db traffic going through the inside NIC.
Now with the recent change I try to open all traffic go the private IP and restrict my public to ssh, http, dns. Doesn't work, when ever I activate iptables now I loose connectivity to my db server on my private network
@marcus0263:
I've got my mysql server on my private network and my db traffic going through the inside NIC.
Now with the recent change I try to open all traffic go the private IP and restrict my public to ssh, http, dns. Doesn't work, when ever I activate iptables now I loose connectivity to my db server on my private network
The following two additions ought to permit such traffic:
iptables -I INPUT 1 -s db.server.private.ip -j ACCEPT
iptables -I OUTPUT 1 -d db.server.private.ip -j ACCEPT
Of course, your DB server must be set up to permit the incoming traffic! If this doesn't work, maybe there's some fancy footwork going on in the other tables besides the 'filter' table? Do this to see what they contain:
iptables -t nat -nv -L
iptables -t mangle -nv -L
iptables -t raw -nv -L
If all else fails, you could create an ssh forward from the web server to the other host
ssh -L localhost:3306:localhost:3306 db.server.private.ip
and point your DB-using applications at 'localhost' instead of the other server. The extra overhead might slow down queries, but I don't know by how much.
iptables -I INPUT 1 -s db.server.private.ip -j ACCEPT
iptables -I OUTPUT 1 -d db.server.private.ip -j ACCEPT
Should ssltunnels be used or vpn?
@bd3521:
Is this the securest solution?
It's rare that one can say that things can't possibly be made more secure. Those iptables rules only allow traffic to/from the specified IP (not other Linodes or random hosts on the Internet). However, the connection to the DB server is not encrypted or protected. In theory someone in the datacenter could sniff the traffic, so if you're paranoid you could use the ssh trick I described or configure SSL support in MySQL to encrypt it (among the other options you mentioned). Practically, I wouldn't worry about it unless I were processing credit card numbers or equally sensitive information.