Hi

I don't think I'm being lazy because I've read lots of docs, but I think I'm even more confused than before!

I want advice on how best to achieve the following:

Everything is linux.
One server acts as the gateway/firewall and mail server.
On the LAN is another server (LAMP) with a php/mysql database.

I want to allow users (at home) to connect to the mail server (IMAP) and also to access the database through their browser. The gateway server does not serve any web content itself, so port 80 is not active.

What is the best way to do this? Should I set up a VPN or just port forward (80) from the gateway server to the database server?

If I only allow certain MAC addresses, am I right in thinking that anything else would be dropped silently (which is what happens with my iptables now)?

I've only ever allowed ssh into the gateway server before as my paranoia went overboard at the thought of anything else - not because it is unsafe - but because I sometimes doubt my ability to really lock things down.

Advice - concepts or detail - gratefully received.

As usual there are several possibilities.

Probably the simplest if you're already used to using ssh is to use ssh port forwarding on the remote clients eg . Point your IMAP client at localhost:localport and it will go to the remote server of your choice. Similarly for the database server - I'd suggest using local port 8080 or something that doesn't clash with anything you might use. I use this for remote access to my linux server from Windows machines.

The other option which is a bit simpler for the user but a bit more work for you is a VPN. I use OpenVPN as it is cross-platform. The docs on the OpenVPN site are very good and it took about half an hour to get a working setup with certificates and TLS. If you have Windows clients and don't want them to have admin privileges there are a few more hoops to jump through.

Thanks for the reply.

I think the vpn route might be the one. I don't really want the http port visible to the outside world and I realise that MAC addresses change as they pass from router to router - so no way can I use that as a filter. IP addresses will probably change too as they will be from peoples DHCP cable/ADSL connections.

All in all, I mostly need secure http access to the second server (ie through the first by port fowarding) but so that access is restricted. I don't suppose there is a way to password protect the web content provided by the http server?

So vpn it might have to be - and a bit of a learning curve! Best way to learn is to do it, I guess

Thanks again

I've had an idea to block content on our webserver but am not sure whether this would be considered a useful way to do it.

If our home users are non static IP's, I thought of setting up dyndns accounts and then restricting access to port 80 by hostname.

Hopefully that means that if the right ip or host tries to connect, it will be able to - and anyone else will simply be dropped.

What do you think?

Not sure exactly what you're trying to do.

If you just want to make sure only known users connect then either ssh or VPN would do as you will only give the certificates to people you trust. Once they're connected to your gateway and authorised then presumably you're happy about them connecting to your internal web server. Probably VPN would be better because you can control what the VPN clients can access from your gateway very tightly with the firewall.

You can also use some of the advanced stuff in OpenVPN to run specific scripts for specific users - have a look at ccd in the manual which can give you a personal VPN script for each client.

I guess the crunch questions are: how many remote users and how frequently do they change? If it's a few and static then setting them up as users on your gateway and controlling access traditionally means that ssh could also be straightforward.

Certainly I can recommend having a look at the OpenVPN site and read their HOWTO as it may give you a few ideas.

Good luck.