July 10, 2017

Network Security

Right now our servers are wide-open to the internet. Let's see how we can lock down each server in our three tiers - public, application, and data.

Lastly, let's tighten our security up by ensuring our load balancer is the only publicly available portion of our 4 servers.

Load Balancer

We want SSH access as well as access to our web ports.

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -j DROP

Application Servers

We want SSH access, and port 80 access, however port 80 should only come from the load balancer. We can simply say that the web traffic can only come from within our private network interface (eth1 in my case).

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT
sudo iptables -A INPUT -j DROP

Database/Cache Server

We want SSH access, and then we want to only allow the MySQL and Redis ports through on the private network:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 3306 -i eth0 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 6379 -i eth0 -j ACCEPT
sudo iptables -A INPUT -j DROP

There's more to managing Firewalls though, so be sure to check out the video series on Iptables!

All Topics