Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: RedHat from 4 -9, Fedora, Ubuntu, Centos 3 - 7, Puppy Linux, and lots of raspberry pi
Posts: 142
Rep:
VPN, MAC filtering and general advice
Hi
I don't think I'm being lazy because I've read lots of docs, but I think I'm even more confused than before!
I want advice on how best to achieve the following:
Everything is linux.
One server acts as the gateway/firewall and mail server.
On the LAN is another server (LAMP) with a php/mysql database.
I want to allow users (at home) to connect to the mail server (IMAP) and also to access the database through their browser. The gateway server does not serve any web content itself, so port 80 is not active.
What is the best way to do this? Should I set up a VPN or just port forward (80) from the gateway server to the database server?
If I only allow certain MAC addresses, am I right in thinking that anything else would be dropped silently (which is what happens with my iptables now)?
I've only ever allowed ssh into the gateway server before as my paranoia went overboard at the thought of anything else - not because it is unsafe - but because I sometimes doubt my ability to really lock things down.
Advice - concepts or detail - gratefully received.
Probably the simplest if you're already used to using ssh is to use ssh port forwarding on the remote clients eg
Code:
ssh ... -L localport:remotehost:remoteport
. Point your IMAP client at localhost:localport and it will go to the remote server of your choice. Similarly for the database server - I'd suggest using local port 8080 or something that doesn't clash with anything you might use. I use this for remote access to my linux server from Windows machines.
The other option which is a bit simpler for the user but a bit more work for you is a VPN. I use OpenVPN as it is cross-platform. The docs on the OpenVPN site are very good and it took about half an hour to get a working setup with certificates and TLS. If you have Windows clients and don't want them to have admin privileges there are a few more hoops to jump through.
Distribution: RedHat from 4 -9, Fedora, Ubuntu, Centos 3 - 7, Puppy Linux, and lots of raspberry pi
Posts: 142
Original Poster
Rep:
Thanks for the reply.
I think the vpn route might be the one. I don't really want the http port visible to the outside world and I realise that MAC addresses change as they pass from router to router - so no way can I use that as a filter. IP addresses will probably change too as they will be from peoples DHCP cable/ADSL connections.
All in all, I mostly need secure http access to the second server (ie through the first by port fowarding) but so that access is restricted. I don't suppose there is a way to password protect the web content provided by the http server?
So vpn it might have to be - and a bit of a learning curve! Best way to learn is to do it, I guess
If you just want to make sure only known users connect then either ssh or VPN would do as you will only give the certificates to people you trust. Once they're connected to your gateway and authorised then presumably you're happy about them connecting to your internal web server. Probably VPN would be better because you can control what the VPN clients can access from your gateway very tightly with the firewall.
You can also use some of the advanced stuff in OpenVPN to run specific scripts for specific users - have a look at ccd in the manual which can give you a personal VPN script for each client.
I guess the crunch questions are: how many remote users and how frequently do they change? If it's a few and static then setting them up as users on your gateway and controlling access traditionally means that ssh could also be straightforward.
Certainly I can recommend having a look at the OpenVPN site and read their HOWTO as it may give you a few ideas.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.