Page 1 of 1
Using Public IP addresses ONLY for cluster possible?
Posted:
Mon Apr 30, 2018 1:14 pm
by vkad
I have 3 public servers with all public IPs.
I want to setup the
[list=]first as the DB server, dialer and web
the second as the dialer
the third as the dialer only.[/list]
Is is possible to set this up as a cluster? Ofcourse I will use very strong passwords, but does vicidial allow this?
What are the main passwords and ports to look out for in this case?
Re: Using Public IP addresses ONLY for cluster possible?
Posted:
Mon Apr 30, 2018 2:23 pm
by mflorell
As long as you used ipv4, it should work fine.
Re: Using Public IP addresses ONLY for cluster possible?
Posted:
Mon Apr 30, 2018 4:48 pm
by vkad
Public IPs accessible through the internet....How can I connect these securely to each other without a private IP?
Re: Using Public IP addresses ONLY for cluster possible?
Posted:
Tue May 01, 2018 5:09 am
by ngtechnologies
Lock down with IP tables. But what you listed all 3 will need to connect to outside world.
MySQL port can be locked down to only allow access to the other servers, but need to open http/https and sip on all servers.
We have been using servers with pubic IPs for years without any hacks or issue.
Re: Using Public IP addresses ONLY for cluster possible?
Posted:
Wed May 02, 2018 9:35 pm
by vkad
ngtechnologies wrote:Lock down with IP tables. But what you listed all 3 will need to connect to outside world.
MySQL port can be locked down to only allow access to the other servers, but need to open http/https and sip on all servers.
We have been using servers with pubic IPs for years without any hacks or issue.
What ports need to be open? (what about telnet, doesn't vicidial use telnet)
Can I please request your iptables config for the relevant ports. thanks..
We dont have any private ips on these servers and only public ips.
Re: Using Public IP addresses ONLY for cluster possible?
Posted:
Wed May 02, 2018 9:43 pm
by williamconley
- Code: Select all
# Generated by iptables-save v1.4.8 on Wed May 2 22:39:32 2018
*raw
:PREROUTING ACCEPT [8125711:635559393]
:OUTPUT ACCEPT [4730223:17430245571]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Wed May 2 22:39:32 2018
# Generated by iptables-save v1.4.8 on Wed May 2 22:39:32 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2:80]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -s xx.xx.xx.xx/32 -j ACCEPT (use this for hard-coded "whitelist" entries, one per public IP of other servers and call centers)
-A INPUT -s xx.xx.xx.xx/32 -j DROP (use this for hard-coded "blacklist" entries)
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -m recent --rcheck --name GOOD --rsource -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Wed May 2 22:39:32 2018
for use of the "GOOD" file generated by the "recent" iptables module, google Dynamic Good Guys firewall for Vicidial.
Re: Using Public IP addresses ONLY for cluster possible?
Posted:
Thu May 03, 2018 7:29 am
by vkad
Thanks williamconley, but it doesn't answer my question. I am not asking for DGG config, but thanks for that. I want to know what ports does vicibox cluster use to communicat between the nodes of a cluster. If my nodes only had public ips which ports will need to be looked out for.
Re: Using Public IP addresses ONLY for cluster possible?
Posted:
Thu May 03, 2018 7:48 am
by williamconley
This isn't the DGG configuration, this is a simple OpenSuSE "stock" whitelist. With this configuration, you would open ALL ports between the servers in the cluster. This negates the need to put a line in for individual ports or know which ones to open. The public IP of each server is trusted, no need to lock "some" ports while opening others from these trusted IPs.
You *should* have a private network between the servers in addition to their public IPs, though. Seriously.
Re: Using Public IP addresses ONLY for cluster possible?
Posted:
Thu May 03, 2018 10:35 am
by vkad
I have a single network interface on each of these servers, which are in LA. I am London.
So these servers have a /29 block of IPs available on each server. I have managed to get a vlan for these servers from the provider, so now I have setup a 10.0.0.0/20 IP alias on each server in addition to a single public IP on a single interface.
Since there is only single interface with both the public and the private ip now, how can I have different firewall zone or rules (yast firewall) for private IP alias on this single Ethernet interface. Right now the interface is assigned external in the firewall...
Any config suggestions?
Re: Using Public IP addresses ONLY for cluster possible?
Posted:
Thu May 03, 2018 12:32 pm
by williamconley
If you have two interfaces (eth1 & eth2 for instance) opensuse will manage them individually in "yast firewall" under "interfaces".
However, spoof traffic in that situation could be problematic. Most don't alias the interface but go with either private or public and just work with what they have. It is preferable to add a 2nd NIC for the local traffic on a 1G switch for faster inter-server communications.