Blocking external traffic from nodes not on Digital Ocean

[josegonzalez]

I have a use case where I need to have services listening on an external interface so that I can properly reference them across each server. In AWS, you could simply have the interface be 0.0.0.0 and block all traffic that is not within the security group attached to an instance.

In the ideal case, we could block all traffic that isn't coming from any of our instances IPs and then just use a jumpbox when attempting to access those servers. Perhaps a second chain like droplan-external-peers could be used in this case?

[tam7t]

I've considered adding support for the public interface (instead of/in addition to) the private interface, but most use cases I've come up with could be solved by just using the private interface and dropping all traffic on the public side (except for a jump/ingress box). Is there something preventing you from listening on 0.0.0.0 and adding a rule to drop traffic on the public iface?

[josegonzalez]

There are cases where software might explicitly bind to the external interface or not understand how to use the internal interface for tunneling. In my case, it would be a vpn box whose OSS solution only allows public ip usage, and thus wouldn't work as well if we dropped all traffic on the public iface.

[tam7t]

I'm thinking about a flag PUBLIC_INTERFACE=true environment variable to tell droplan to maintain adroplan-peers-public chain. Do you think that would work for your usecase?

[josegonzalez]

Would I need to run droplan twice in that case?

[tam7t]

@josegonzalez This took a while, but release 1.2.0 adds a PUBLIC=true option that will only allow traffic from your other droplets, in addition to blocking traffic on the private interface if one exists.

[josegonzalez]

<3