All installation and configuration problems and questions
Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N
by vkad » Mon Apr 30, 2018 1:14 pm
I have 3 public servers with all public IPs.
I want to setup the
[list=]first as the DB server, dialer and web
the second as the dialer
the third as the dialer only.[/list]
Is is possible to set this up as a cluster? Ofcourse I will use very strong passwords, but does vicidial allow this?
What are the main passwords and ports to look out for in this case?
Vicibox 8.0.1 (Asterisk 13.21.0-vici) + Remote WebRTC Agents
Version: 2.14b0.5 | SVN: 2990 | DB Version: 1548
1 x DB + Web + Dialer - E3 1270 v6 + 16gb ddr4 + 256gb SSD
2 x Additional Dialer - E3 1270 v6 + 8gb ddr4 + 256gb SSD
-
vkad
-
- Posts: 208
- Joined: Thu Nov 09, 2017 3:46 am
by mflorell » Mon Apr 30, 2018 2:23 pm
As long as you used ipv4, it should work fine.
-
mflorell
- Site Admin
-
- Posts: 18387
- Joined: Wed Jun 07, 2006 2:45 pm
- Location: Florida
-
by vkad » Mon Apr 30, 2018 4:48 pm
Public IPs accessible through the internet....How can I connect these securely to each other without a private IP?
Vicibox 8.0.1 (Asterisk 13.21.0-vici) + Remote WebRTC Agents
Version: 2.14b0.5 | SVN: 2990 | DB Version: 1548
1 x DB + Web + Dialer - E3 1270 v6 + 16gb ddr4 + 256gb SSD
2 x Additional Dialer - E3 1270 v6 + 8gb ddr4 + 256gb SSD
-
vkad
-
- Posts: 208
- Joined: Thu Nov 09, 2017 3:46 am
by ngtechnologies » Tue May 01, 2018 5:09 am
Lock down with IP tables. But what you listed all 3 will need to connect to outside world.
MySQL port can be locked down to only allow access to the other servers, but need to open http/https and sip on all servers.
We have been using servers with pubic IPs for years without any hacks or issue.
-
ngtechnologies
-
- Posts: 24
- Joined: Mon Mar 27, 2017 11:13 am
by vkad » Wed May 02, 2018 9:35 pm
ngtechnologies wrote:Lock down with IP tables. But what you listed all 3 will need to connect to outside world.
MySQL port can be locked down to only allow access to the other servers, but need to open http/https and sip on all servers.
We have been using servers with pubic IPs for years without any hacks or issue.
What ports need to be open? (what about telnet, doesn't vicidial use telnet)
Can I please request your iptables config for the relevant ports. thanks..
We dont have any private ips on these servers and only public ips.
Vicibox 8.0.1 (Asterisk 13.21.0-vici) + Remote WebRTC Agents
Version: 2.14b0.5 | SVN: 2990 | DB Version: 1548
1 x DB + Web + Dialer - E3 1270 v6 + 16gb ddr4 + 256gb SSD
2 x Additional Dialer - E3 1270 v6 + 8gb ddr4 + 256gb SSD
-
vkad
-
- Posts: 208
- Joined: Thu Nov 09, 2017 3:46 am
by williamconley » Wed May 02, 2018 9:43 pm
- Code: Select all
# Generated by iptables-save v1.4.8 on Wed May 2 22:39:32 2018
*raw
:PREROUTING ACCEPT [8125711:635559393]
:OUTPUT ACCEPT [4730223:17430245571]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Wed May 2 22:39:32 2018
# Generated by iptables-save v1.4.8 on Wed May 2 22:39:32 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2:80]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -s xx.xx.xx.xx/32 -j ACCEPT (use this for hard-coded "whitelist" entries, one per public IP of other servers and call centers)
-A INPUT -s xx.xx.xx.xx/32 -j DROP (use this for hard-coded "blacklist" entries)
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -m recent --rcheck --name GOOD --rsource -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Wed May 2 22:39:32 2018
for use of the "GOOD" file generated by the "recent" iptables module, google Dynamic Good Guys firewall for Vicidial.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
by vkad » Thu May 03, 2018 7:29 am
Thanks williamconley, but it doesn't answer my question. I am not asking for DGG config, but thanks for that. I want to know what ports does vicibox cluster use to communicat between the nodes of a cluster. If my nodes only had public ips which ports will need to be looked out for.
Vicibox 8.0.1 (Asterisk 13.21.0-vici) + Remote WebRTC Agents
Version: 2.14b0.5 | SVN: 2990 | DB Version: 1548
1 x DB + Web + Dialer - E3 1270 v6 + 16gb ddr4 + 256gb SSD
2 x Additional Dialer - E3 1270 v6 + 8gb ddr4 + 256gb SSD
-
vkad
-
- Posts: 208
- Joined: Thu Nov 09, 2017 3:46 am
by williamconley » Thu May 03, 2018 7:48 am
This isn't the DGG configuration, this is a simple OpenSuSE "stock" whitelist. With this configuration, you would open ALL ports between the servers in the cluster. This negates the need to put a line in for individual ports or know which ones to open. The public IP of each server is trusted, no need to lock "some" ports while opening others from these trusted IPs.
You *should* have a private network between the servers in addition to their public IPs, though. Seriously.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
by vkad » Thu May 03, 2018 10:35 am
I have a single network interface on each of these servers, which are in LA. I am London.
So these servers have a /29 block of IPs available on each server. I have managed to get a vlan for these servers from the provider, so now I have setup a 10.0.0.0/20 IP alias on each server in addition to a single public IP on a single interface.
Since there is only single interface with both the public and the private ip now, how can I have different firewall zone or rules (yast firewall) for private IP alias on this single Ethernet interface. Right now the interface is assigned external in the firewall...
Any config suggestions?
Vicibox 8.0.1 (Asterisk 13.21.0-vici) + Remote WebRTC Agents
Version: 2.14b0.5 | SVN: 2990 | DB Version: 1548
1 x DB + Web + Dialer - E3 1270 v6 + 16gb ddr4 + 256gb SSD
2 x Additional Dialer - E3 1270 v6 + 8gb ddr4 + 256gb SSD
-
vkad
-
- Posts: 208
- Joined: Thu Nov 09, 2017 3:46 am
by williamconley » Thu May 03, 2018 12:32 pm
If you have two interfaces (eth1 & eth2 for instance) opensuse will manage them individually in "yast firewall" under "interfaces".
However, spoof traffic in that situation could be problematic. Most don't alias the interface but go with either private or public and just work with what they have. It is preferable to add a 2nd NIC for the local traffic on a 1G switch for faster inter-server communications.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
Return to Support
Who is online
Users browsing this forum: No registered users and 74 guests