Currently i have two servers Running Debian 7 with HA Active/Passive setup using Pacemaker and Corosync as follows:
node1->IP->xx.xx.xx.1
node2->IP->xx.xx.xx.2
VIP(Floating IP) ->xx.xx.xx.3
It is configure with heartbeat for fail-over setup. All the IP's above are public facing.
The system is all working as it supposed to with High Availability when other node fails etc.. When one of the system is Active, there will two IP's assigned to one server.
So here's my question-
- Do i have to add any separate iptable rules for different IP's (VIP and Static Public IP)?
- How to allow (listen) traffic only on a particular IP(VIP) for a service for eg-DB server and not from other public address(xx.1) from outside world.
If you anything that concerns the setup wrt security etc.. please comment..
Thanks
It depends on your set of iptables rules and your needs. You are able to ALLOW/DENY traffic based on destination IP address. Thus it'll be possible to e. g. allow traffic only to a floating IP, but not to a nodes primary IP address. Or you could bind your ruleset to a specific interface (e. g. eth0) which is holding a bunch of IP addresses.
It is good practice to DENY everything and ALLOW only specific traffic. In this given case I'd DENY by default, only ALLOWing traffic based on the source IP address (from DB servers known IP addresses).
Regarding concerns: Host based firewalls always have the drawback that when the mashine is compromised a potential attacker is probably able to disable the firewall completely. Thus you might want to have a separate firewall in front of your DMZ network, which faces the internet and filters the traffic. But this depends on your setup and protection requirement.