2

I am using linode.com and they provide the ability to assign a private IP to each vps. What I am trying to do is setup each node's firewall to allow access from other nodes on the network, but I don't seem to have much success.

For example, I am trying to allow access to server1:1337 from server2, both are setup as follows:

server1:
   ifcfg-eth0:
     DEVICE="eth0"
     IPADDR="1.1.1.1"
     NETMASK="255.255.255.0"

   ifcfg-eth0:0:
     DEVICE="eth0:0"
     IPADDR="192.168.132.96"
     NETMASK="255.255.128.0"

server2:
   ifcfg-eth0:
     DEVICE="eth0"
     IPADDR="1.1.1.2"
     NETMASK="255.255.255.0"

   ifcfg-eth0:0:
     DEVICE="eth0:0"
     IPADDR="192.168.132.97"
     NETMASK="255.255.128.0"

And the IPTables ruleset on server1: 

#-----
# Flush all current rules from iptables#
#-----
iptables -F
iptables -F -t nat
#-----

#-----
# Set access for localhost
#-----
iptables -A INPUT -i lo -j ACCEPT

# !! Tried to allow all nodes on the subnet access to everything, but still didn't work !!
iptables -A INPUT -s 192.168.132.0/17 -j ACCEPT
#-----

#-----
# Accept packets belonging to established and related connections
#-----
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-----

# !! Tried to allow access to the port directly !!
iptables -A INPUT -i eth0:0 -p tcp -s 192.168.132.0/17 --dport 1337 -j ACCEPT 

#-----
# Lock everything down
#-----
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#-----

I did stumble across a couple of old forums stating that iptables cannot use the -i eth0:0 call, as the virtual settings share parent settings, but I wasn't able to confirm this fully.

--Edit--

I've also added the private subnet (192.168.132.0/17) to server2, but still can't get it to connect.

Mike Purcell
  • 1,708
  • 7
  • 32
  • 54
  • I hope, all commands without errors. Look at working firewall and rule counters after it by iptables -vL – mmv-ru Aug 06 '13 at 23:27
  • do you have a route from 192.168.132.96 to 192.168.132.97? – Christopher Perrin Aug 07 '13 at 06:24
  • Why do you use so strange network mask on eth0:0? I will suggest to run tcpdump on server 1 on port 1337 and try to connect from server2 (for e.g. via telnet) – ALex_hha Aug 07 '13 at 07:09
  • 1
    IF you disable iptables can you connect ? – user9517 Aug 07 '13 at 07:21
  • @Iain: Ya can connect np with iptables off. I added the private subnet to both servers iptables rules, and can connect via telnet, but can't connect via the native service (httpd etc). – Mike Purcell Aug 07 '13 at 16:58
  • 1
    Are you sure you're connecting via the private ip address then ? Try using `wget --bind-address=privateaddress ...` and `wget --bind-address=publicaddress ...` to check. – user9517 Aug 07 '13 at 17:02
  • @Iain: Good suggestion. I issued the following `wget --bind-address 192.168.132.96 http://192.168.132.97:1337`, and was able to connect via the private subnet, but when I go through the browser I am still getting a bad gateway, which leads me to believe it is a config issue with nginx, as I have it setup as a load-balancer using the upstream directive. – Mike Purcell Aug 07 '13 at 18:05
  • The problem is indeed in the nginx config, in my upstream directive I have: `upstream example.com { server server2:1337; }`, when I changed to internal ip it worked. I need to look into how to handle this so I don't have to add entries by ip address, but rather hostname, and still use internal network. – Mike Purcell Aug 07 '13 at 18:21

1 Answers1

4

Thanks to suggestions from comments and some info from linode tech support, I was able to resolve the connection issue.

To solve the problem, I needed to ensure that both server1 and server2 had the proper, private subnet entries for iptables:

iptables -A INPUT -s 192.168.132.0/17 -j ACCEPT

After making this entry on both servers, I could then telnet to server2:1337 (from server1) and monitor the bytes/packets via iptables and see that indeed, packets are being accepted:

$ -> telnet 192.168.132.97 1337
Trying 192.168.132.97...
Connected to 192.168.132.97.
Escape character is '^]'.

$ -> iptables -L -vn
Chain INPUT (policy DROP 337 packets, 18695 bytes)
pkts bytes target     prot opt in     out     source               destination
56 30019 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
53 40539 ACCEPT     all  --  *      *       192.168.128.0/17     0.0.0.0/0

The problem now is that I am using nginx as a load balancer, and it was using server2 dns entry, which I assume defaults to the public ip, which is not part of the iptables ruleset, nor should it be, otherwise I have to enter in every single ip on the private network to allow access to port 1337. However this issue is for another question, as the OP has been resolved.

-- Update --

Updating this answer in case anyone else stumbles across it in the future. I opted going with this solution; DNS Stealth. By adding the DNS capability to one of my VPS, I can add all the internal ips, and the external ips, so all my internal iptable configs should work as expected, while still allowing remote access to any of the vps via their public ip.

Mike Purcell
  • 1,708
  • 7
  • 32
  • 54