Linode Forum :: Firewall security question

Linode Forum https://forum.linode.com/

Firewall security question https://forum.linode.com/viewtopic.php?f=19&t=6650	Page 1 of 1

Author:

fergtm [ Fri Feb 04, 2011 12:09 am ]

Post subject:

Firewall security question

Hi all,

I have two linodes. The first one is running MySql and I want to connect to it from the second one.

Currently the iptables firewall rules for the first linode are the following:

Code:

*filter

#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allows all outbound traffic
-A OUTPUT -j ACCEPT

# Allows HTTP connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT

#  Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

I'm planning to add the following rule:

Code:

-A INPUT -s 192.168.XXX.XXX -d 192.168.YYY.YYY -p tcp --dport 3306 -j ACCEPT

Where 192.168.XXX.XXX is the private IP of the linode from where I want to connect and 192.168.YYY.YYY is the private IP of the linode where MySql is running.

I am not an expert in iptables so I'm asking here if this looks OK. Thanks

Author:	otherbbs [ Mon Feb 07, 2011 6:29 pm ]
Post subject:	Re: Firewall security question
fergtm wrote: -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT Typo, should be: Code: -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT I wouldn't recommend mysql bound to your public IP address. Also if you are concern about privacy I would encrypt your private traffic between your nodes. -- Travis

Author:	obs [ Mon Feb 07, 2011 6:51 pm ]
Post subject:
Linode private ips are only private to the data centre, so in theory if a linode in the same centre got cracked then in theory they could sniff your traffic, so at the very least use https between your linodes, if you start using more services between them then consider using a vpn. http://library.linode.com/networking/openvpn/

Author:	Guspaz [ Mon Feb 07, 2011 8:01 pm ]
Post subject:
obs wrote: Linode private ips are only private to the data centre, so in theory if a linode in the same centre got cracked then in theory they could sniff your traffic, so at the very least use https between your linodes, if you start using more services between them then consider using a vpn. http://library.linode.com/networking/openvpn/ No, they can't sniff your traffic, because the linode can't enter promiscuous mode no matter how compromised it gets. They'd have to compromise the host machine to do that.

Author:	db3l [ Mon Feb 07, 2011 8:15 pm ]
Post subject:
Guspaz wrote: No, they can't sniff your traffic, because the linode can't enter promiscuous mode no matter how compromised it gets. They'd have to compromise the host machine to do that. Even that wouldn't likely help on average since it's extremely unlikely the private network isn't a switched fabric, so at best you'd be able to see broadcast traffic, not random unicast traffic between Linode pairs. Unless you cracked the host machine on which one of the endpoint Linodes resided (since then you've got a box that is middle man in the stream), but in that case there are bigger problems than traffic sniffing... To the OP, another option you might consider is just opening up a general hole (any port) but limit it specifically to the private IP address of the opposing Linode. Locks traffic down fairly well, but no maintenance overhead over time if you wish to do more than just database operations between the nodes. -- David

Author:	obs [ Mon Feb 07, 2011 10:08 pm ]
Post subject:
Oh cool didn't know that, good to know.

Author:	fergtm [ Mon Feb 07, 2011 10:58 pm ]
Post subject:	Re: Firewall security question
otherbbs wrote: fergtm wrote: -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT Typo, should be: Code: -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT -- Travis Thanks, The firewall have been running with that typo for a while. I just copied the rules from a tutorial, what was exactly doing wrong?. Guspaz wrote: obs wrote: Linode private ips are only private to the data centre, so in theory if a linode in the same centre got cracked then in theory they could sniff your traffic, so at the very least use https between your linodes, if you start using more services between them then consider using a vpn. http://library.linode.com/networking/openvpn/ No, they can't sniff your traffic, because the linode can't enter promiscuous mode no matter how compromised it gets. They'd have to compromise the host machine to do that. So basically the current configuration looks ok?. I've already made the changes. Using nmap to the public IP shows only http/https/ssh open and the rest of the ports as filtered. db3l wrote: To the OP, another option you might consider is just opening up a general hole (any port) but limit it specifically to the private IP address of the opposing Linode. Locks traffic down fairly well, but no maintenance overhead over time if you wish to do more than just database operations between the nodes. -- David Not sure how to do this. Is that allowing all traffic from the other Linode?

Author:	db3l [ Mon Feb 07, 2011 11:39 pm ]
Post subject:	Re: Firewall security question
fergtm wrote: db3l wrote: To the OP, another option you might consider is just opening up a general hole (any port) but limit it specifically to the private IP address of the opposing Linode. Locks traffic down fairly well, but no maintenance overhead over time if you wish to do more than just database operations between the nodes. -- David Not sure how to do this. Is that allowing all traffic from the other Linode? Right - just have a single allow rule (ACCEPT action) for a source IP address of your other Linode. Something like "-A INPUT -s #.#.#.# -j ACCEPT". Then do the same on the other end, with the opposing IP address. -- David

Author:	otherbbs [ Tue Feb 08, 2011 4:11 pm ]
Post subject:	Re: Firewall security question
fergtm wrote: Thanks, The firewall have been running with that typo for a while. I just copied the rules from a tutorial, what was exactly doing wrong?. The ! (NOT) was in the wrong location. The -i is for the interface. As posted it was 'NOT --interface lo' (local). which should have produced an error. The ! (NOT) can be used after -s (source), -d (destination), etc. The rule you posted originally you were going to add will work, but since you are REJECTing all other traffic you will probably need a rule for both directions, such as: Code: -A INPUT -s 192.168.XXX.XXX -d 192.168.YYY.YYY -p tcp --dport 3306 -j ACCEPT -A INPUT -s 192.168.YYY.YYY -d 192.168.XXX.XXX -p tcp --sport 3306 -j ACCEPT Note the --dport and --sport. Also the order of the rules makes a difference. -- Travis

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/