Is it possible? Since Linode no longer supports separate NIC's and we have to go with IP aliasing I'm having to rebuild my iptable rules. For the life of me I can't get them going, I've done some googleing and it seems that iptables doesn't support aliasing. Am I wrong? Is there a work around?

_________________

Where "Thought Crime" is commited
http://www.rejecttheherd.net

without you giving details of your firewall setup, its hard to say. In general you should simply be able to filter by the destination (-d) / source (-s) addresses?

It's a pretty basic setup, the previous setup I had eth0 configured with my public IP, eht1 was my private. I've got my mysql server on my private network and my db traffic going through the inside NIC.

Now with the recent change I try to open all traffic go the private IP and restrict my public to ssh, http, dns. Doesn't work, when ever I activate iptables now I loose connectivity to my db server on my private network

_________________


Where "Thought Crime" is commited

http://www.rejecttheherd.net

The following two additions ought to permit such traffic:

iptables -I INPUT 1 -s db.server.private.ip -j ACCEPT
iptables -I OUTPUT 1 -d db.server.private.ip -j ACCEPT

Of course, your DB server must be set up to permit the incoming traffic! If this doesn't work, maybe there's some fancy footwork going on in the other tables besides the 'filter' table? Do this to see what they contain:

iptables -t nat -nv -L
iptables -t mangle -nv -L
iptables -t raw -nv -L

If all else fails, you could create an ssh forward from the web server to the other host

ssh -L localhost:3306:localhost:3306 db.server.private.ip

and point your DB-using applications at 'localhost' instead of the other server. The extra overhead might slow down queries, but I don't know by how much.

Is this the securest solution?

iptables -I INPUT 1 -s db.server.private.ip -j ACCEPT
iptables -I OUTPUT 1 -d db.server.private.ip -j ACCEPT

Should ssltunnels be used or vpn?

I use fwbuilder to create and manage my rules and after messing about last night I just created rules based on IP to open up the traffic between the two. I was going wrong earlier by creating rules based on device, so after messing about all is well currently.

_________________


Where "Thought Crime" is commited

http://www.rejecttheherd.net

It's rare that one can say that things can't possibly be made more secure. Those iptables rules only allow traffic to/from the specified IP (not other Linodes or random hosts on the Internet). However, the connection to the DB server is not encrypted or protected. In theory someone in the datacenter could sniff the traffic, so if you're paranoid you could use the ssh trick I described or configure SSL support in MySQL to encrypt it (among the other options you mentioned). Practically, I wouldn't worry about it unless I were processing credit card numbers or equally sensitive information.