Running a backend server without public internet access greatly reduces the risk of attacks. In this guide, you’ll learn how to securely isolate your server while still allowing it to fetch updates, using Leaseweb’s Private Network and a NAT gateway.
Use case:
This applies to customers running a backend service, such as a database server, on their Dedicated Server. The goal is to prevent the server from having direct internet access in order to reduce the risk of malicious attacks and improve overall security.
However, the server must still be able to access the internet to download security patches and updates.
Solution:
The proposed solution is based on an internet gateway that is used to reach the internet from internal networks.
It assumes the following infrastructure is in place:
- Leaseweb Private Network is attached to the Dedicated Server (backend server)
- A 2nd (Front-end) server is used that has both public connectivity and is connected to the same Private Network as the backend server.
- or a firewall appliance or other NAT device (like a Load Balancer) is in place.
By default, Leaseweb delivers each Dedicated server with public connectivity (uplink and a public IP address), which is used to perform an automated install of the Operating System on the server. On the Customer Portal, you can manage the public switch port of the server.
By closing the public switchport, you shut down the public internet connection but also your direct access to the server. (You always have the possibility to use our Remote Management to gain access to the server’s console).
If your server is connected to Private Network, you can set your default route (0.0.0.0/0) and default gateway to your frontend server or firewall Private Network IP address.
By doing so, all traffic will no longer use the public NIC but the Private Network.
On your Frontend server that has both internet access and Private Network access (for example your Webserver), you can configure it as NAT gateway or use a firewall device that acts as NAT gateway.
How to configure your server as NAT gateway and set the default gateway
A Linux computer can function as a Network Address Translation (NAT) gateway, allowing a private network to connect to the internet. This is achieved by enabling IP forwarding and configuring NAT rules, typically using iptables or firewall utilities.
Steps to configure a Linux machine as a NAT gateway:
1. Enable IP Forwarding:
This allows the Linux machine to forward packets between different network interfaces. You can do this temporarily with
echo 1 > /proc/sys/net/ipv4/ip_forward
or permanently by modifying the
/proc/sys/net/ipv4/ip_forward setting.
2. Configure NAT Rules:
You use iptables to define NAT rules, which map private network addresses to public addresses. For example:
- # Enable NAT (Masquerade) on outgoing interface
iptables -t nat -A POSTROUTING -o <public_interface> -j MASQUERADE
This translates private addresses to the public IP address of the gateway.
3. Configure Firewall Rules:
You’ll need to configure firewall rules to allow the necessary traffic between the private and public networks. For example:
- # Allow forwarding from internal to external
iptables -A FORWARD -i <private_interface> -o <public_interface> -j ACCEPT
- # Allow forwarding of established connections back in
iptables -A FORWARD -i <public_interface> -o <private_interface> -m state –state RELATED,ESTABLISHED -j ACCEPT
4. Save and Enable IPTables Rules:
If you use iptables, make sure to save the rules so they persist after a reboot, and enable them to run on boot.
5. Set Default Gateway:
Configure the clients on the private network to use the Linux machine as their default gateway.
Example Configuration (using iptables):
Let’s say:
- <public_interface> is eth0 (the interface connected to the internet)
- <private_interface> is eth1 (the interface connected to the private network)
Here’s a simplified example:
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# NAT rules
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Firewall rules (forwarding traffic)
iptables -A FORWARD –i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD –i eth0 -o eth1 -m state –state RELATED,ESTABLISHED -j ACCEPT
# Firewall rules (accept incoming traffic)
iptables -A INPUT –i eth0 -j ACCEPT
# Save iptables (if needed)
# iptables-save > /etc/iptables/rules.v4
Important Considerations:
- Security: Carefully configure your firewall rules to prevent unauthorized access.
- IP Address: Ensure that the Linux machine has a public IP address assigned to the public interface.
- DNS: Configure DNS on the private network so devices can resolve domain names to IP addresses.
With a NAT gateway and private routing, your backend server stays secure and off the public internet, without losing access to essential updates. A simple setup with strong impact.