I am looking for advice on a what I am sure is a very basic procedure but I have never had to set this up before and am not sure where to start.

I am running 2 CentOS5.3 boxes.
I have one webserver connected to the internet and behind a firewall. I would like to set up the 2nd server (database) behind the webserver and completely inaccessible from the internet. Ideally so it can only be accessed by first ssh'ing onto the webserver and then ssh'ing from there onto the database. The webserver connecting locally to database.

From what I have seen it looks like I need to set this up using NAT but I have never done this and do not know what is involved.

Can someone point me in the right direction and optimally outline the steps I need to take to hook this up? Do I need to worry about any specific hardware configuration as well?

Thanks in advance!

I would need to know how these machines are connected between them, and to the internet.

There's no straight way that anyone (sort of hacking your router or web server) will be able to access your db server unless it's connected straight to the internet, or your router is doing some kind of routing to connect whatever port you are using on the db box to the external world.

I think you are using a topology that's similar to this one:

Or maybe the router is *also* the web server?

In any case, NAT is used to translate IP's between the "real world" and your private network, thus, allowing for example many machines that are behind a router to access the internet with the same IP (this of your router). I don't see how that relates to your problem, so, either NAT isn't what you are looking for or I have misunderstood something.

As long as your machines are not routed to the external world they should be invisible from the world outside.

I'd suggest putting a router between your computers and the internet. As long as it supports port forwarding (and most do), you can forward any needed ports to the web server and the database server would be inaccessible (well, mostly).

As long as your webserver connects to the database, it is theoretically accessible from the internet if your webserver were to be cracked. You still need proper security on the database server.
I'm not sure this adds a lot in terms of security. SSH (when configured properly) is a pretty tough nut to crack and allowing direct SSH access to the database server isn't much of a risk. To be honest, I think the most direct threat to your database server would be from exploits on the webserver.

Thanks for your input. Yes, my current configuration is quite simple and there is no router involved. My datacenter tech had suggested that to achieve my simple goal (of having the database unaccessible directly) I set up a NAT IP for it on the webserver.

Not having experience with this, I am not sure if that suggestion is a good one or even possible, but I suspect he may have been suggesting that as a way of me avoiding additional charges for him setting up a router and a LAN on my two servers? Does that make any sense?

Is it possible to make such a configuration using a NAT IP without using a router?

We still don't know how your machines are connected, so I am not sure of what he mean. But I can't imagine why NAT would help at all.

It's usually quite the oposite, as I said on my other post, NAT can be used to connect a machine that's behind a router to the internet, which is exactly the opposite of what you intend to do. If you want the web server to access a machine that's on your internal network you don't need to do anything special, and that machine will not be visible from the outside.

Try to describe how is your net, how are both machines connected. I assume that only the web server is connected to the internet, if not, let us know about that as well.

What your datacenter tech seems to be suggesting is to turn your webserver into a router of sorts. Network traffic has to be able to move between the two machines, so you need some sort of networking capability on your webserver.

A decent stand-alone router would set you back about US $100, which isn't trivial, but may be money well spent. As far a setting up the LAN, if you can plug network cables in, you can set up the LAN yourself. Most modern routers are VERY easy to self-administer.

An i92guboh is absolutely right, if we can get a better idea of what your network currently looks like, we can give better advice.

Thanks for all your help. It seems that there was in fact some misunderstanding from my datacenter tech and his initial advice was erroneous..which is what confused me. There was indeed no need for dealing at all with NAT. I had him install a second NIC in each server and assigned a private ip to each card. Now my webserver connects on the local ip to the db and I completely disabled the public ip on the db so it is pretty well hidden behind the webserver.

This should do the trick. Thanks

John

That was my impression, it was some misunderstanding. Glad that you figured it out and found an adequate setup