Lastly, let's tighten our security up by ensuring our load balancer is the only publicly available portion of our 4 servers.
Load Balancer
We want SSH access as well as access to our web ports.
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -j DROP
Application Servers
We want SSH access, and port 80 access, however port 80 should only come from the load balancer. We can simply say that the web traffic can only come from within our private network interface (eth1
in my case).
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT
sudo iptables -A INPUT -j DROP
Database/Cache Server
We want SSH access, and then we want to only allow the MySQL and Redis ports through on the private network:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 3306 -i eth0 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 6379 -i eth0 -j ACCEPT
sudo iptables -A INPUT -j DROP
There's more to managing Firewalls though, so be sure to check out the video series on Iptables!