By vinayhegde90
Hello everyone,
Server:
- a CentOS 7 Droplet with a public IP on eth0 & private IP on eth1
SSH Clients on my home computer which I use to connect using SSH keys
- MobaXterm on Windows 7 or
- VirtualBox CentOS 7 VM
Now the situation is as follows
-
My home computer’s public WAN IP address changes via DHCP automatically by my ISP every once a week or so.
-
On server, I’m fire-walling (herewith referring it as Firewall-layer for simplicity) as below
DigitalOcean Cloud firewall --> server firewall IPTables --> TCPWrappers layer
-
By observing a pattern of my public IP subnets over a period of time, I’ve used them to determine my ISP’s AS number via this and, I have white-listed a few of them in my Firewall-layer (strangely, they repeat in a random order & are restricted to the same 3-4 subnets each with the CIDR /22, therefore the pattern)
-
Now in the event when my public WAN IP changes, I momentarily lose access to my server since TCPWrappers prevent me from accessing it.
-
The workaround I use is to take console access of my Droplet & un-comment out only that public IP subnet belonging to my current WAN IP address, leaving the others commented which I un-comment as soon as the above recurs.
-
To fix this, I can either Leave all the entries in the TCPWrappers un-commented so as to avoid the hassle but as much I understand, I strongly it is wrong as a security best practice
therefore, the alternative OR
-
I’m thinking of writing a bash script that would run on my VirtualBox VM which would detect my current outgoing WAN IP address using a simple cURL call & use it to modify the TCPWrappers & IPTables on my Droplet as explained in the workaround above
-
But for it to work, I’d need to be able to SSH onto my Droplet via its private IP on eth1 which is what I’ve been tinkering with but unable to find an ideal way to do so, until now.
Could someone please guide me the ideal way to achieve this?
Do let me know if any additional information would be required if I may have missed out.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Your private IP is only reachable from other servers in the same datacenter (and soon, only from other servers in the same datacenter on the same account)
It sounds like you’re trying to reach your private IP from the outside - that won’t work.
DigitalOcean doesn’t offer those services. You would have to build a second droplet which would host VPN or your portforwarding, but then your problem is securing that second droplet.
Have you considered using DO’s firewall instead of setting it up on the droplet yourself? You can control that through the DO webinterface (and secure that using 2FA if you wish) or use ‘doctl’ to programmatically control it.
That way, you don’t have to rely on the firewall on your droplet at all, and only need to trust DO to secure its own webinterface. But you have to trust that anyway.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.