Best way to hide my database from the internet ...Nat?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Best way to hide my database from the internet ...Nat?
I am looking for advice on a what I am sure is a very basic procedure but I have never had to set this up before and am not sure where to start.
I am running 2 CentOS5.3 boxes.
I have one webserver connected to the internet and behind a firewall. I would like to set up the 2nd server (database) behind the webserver and completely inaccessible from the internet. Ideally so it can only be accessed by first ssh'ing onto the webserver and then ssh'ing from there onto the database. The webserver connecting locally to database.
From what I have seen it looks like I need to set this up using NAT but I have never done this and do not know what is involved.
Can someone point me in the right direction and optimally outline the steps I need to take to hook this up? Do I need to worry about any specific hardware configuration as well?
I would need to know how these machines are connected between them, and to the internet.
There's no straight way that anyone (sort of hacking your router or web server) will be able to access your db server unless it's connected straight to the internet, or your router is doing some kind of routing to connect whatever port you are using on the db box to the external world.
I think you are using a topology that's similar to this one:
Code:
db server \
switch/hub --- router --- internet
web server /
Or maybe the router is *also* the web server?
In any case, NAT is used to translate IP's between the "real world" and your private network, thus, allowing for example many machines that are behind a router to access the internet with the same IP (this of your router). I don't see how that relates to your problem, so, either NAT isn't what you are looking for or I have misunderstood something.
As long as your machines are not routed to the external world they should be invisible from the world outside.
I'd suggest putting a router between your computers and the internet. As long as it supports port forwarding (and most do), you can forward any needed ports to the web server and the database server would be inaccessible (well, mostly).
Quote:
The webserver connecting locally to database.
As long as your webserver connects to the database, it is theoretically accessible from the internet if your webserver were to be cracked. You still need proper security on the database server.
Quote:
Ideally so it can only be accessed by first ssh'ing onto the webserver and then ssh'ing from there onto the database.
I'm not sure this adds a lot in terms of security. SSH (when configured properly) is a pretty tough nut to crack and allowing direct SSH access to the database server isn't much of a risk. To be honest, I think the most direct threat to your database server would be from exploits on the webserver.
I'd suggest putting a router between your computers and the internet...
Thanks for your input. Yes, my current configuration is quite simple and there is no router involved. My datacenter tech had suggested that to achieve my simple goal (of having the database unaccessible directly) I set up a NAT IP for it on the webserver.
Not having experience with this, I am not sure if that suggestion is a good one or even possible, but I suspect he may have been suggesting that as a way of me avoiding additional charges for him setting up a router and a LAN on my two servers? Does that make any sense?
Is it possible to make such a configuration using a NAT IP without using a router?
We still don't know how your machines are connected, so I am not sure of what he mean. But I can't imagine why NAT would help at all.
It's usually quite the oposite, as I said on my other post, NAT can be used to connect a machine that's behind a router to the internet, which is exactly the opposite of what you intend to do. If you want the web server to access a machine that's on your internal network you don't need to do anything special, and that machine will not be visible from the outside.
Try to describe how is your net, how are both machines connected. I assume that only the web server is connected to the internet, if not, let us know about that as well.
Not having experience with this, I am not sure if that suggestion is a good one or even possible
What your datacenter tech seems to be suggesting is to turn your webserver into a router of sorts. Network traffic has to be able to move between the two machines, so you need some sort of networking capability on your webserver.
Quote:
but I suspect he may have been suggesting that as a way of me avoiding additional charges for him setting up a router and a LAN on my two servers?
A decent stand-alone router would set you back about US $100, which isn't trivial, but may be money well spent. As far a setting up the LAN, if you can plug network cables in, you can set up the LAN yourself. Most modern routers are VERY easy to self-administer.
An i92guboh is absolutely right, if we can get a better idea of what your network currently looks like, we can give better advice.
Thanks for all your help. It seems that there was in fact some misunderstanding from my datacenter tech and his initial advice was erroneous..which is what confused me. There was indeed no need for dealing at all with NAT. I had him install a second NIC in each server and assigned a private ip to each card. Now my webserver connects on the local ip to the db and I completely disabled the public ip on the db so it is pretty well hidden behind the webserver.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.