Setting Up a Private Network

In the Internet address architecture, a private network is a group of interconnected systems that use a private IP address space, following the standards set by RFC 1918 for Internet Protocol Version 4 (IPv4) and RFC 4193 for Internet Protocol Version 6 (IPv6). They are networks, which are strictly local to an organization and have traffics that are not routed over the global Internet. Usually, you need to set up a private network when you have multiple servers hosted with the same provider that need to communicate with each other as in with backups or when you do server clustering.

We also refer to an interconnect when talking about private networks. An interconnect is a dedicated private network between the nodes or servers in one Ethernet broadcast domain (VLAN).

By default, servers can communicate with each other through the Internet. Doing this however, can limit network performance in terms of volume and speed during peak traffic, which in turn can impact costs. Security is also an ever-present cause for concern when routing traffic that may contain sensitive data over the public space of external IPs.

Using a private network ensures higher performance as external traffic restrictions are not applied to servers in private networks. Data are also just that more secure when they travel through a private network, as they are not accessible from the faceless crowd of the Internet.

What You Need to Start

To create an interconnect, make sure all relevant servers are in one Ethernet broadcast domain (VLAN). If you only have two servers, you can directly connect them, though this may limit scalability in the future.

You will need a block of private IP addresses for your network. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IPv4 address space for private networks:

10.0.0.0 – 10.255.255.255 or 10.0.0.0/8
172.16.0.0 – 172.31.255.255 or 172.16.0.0/12
192.168.0.0 – 192.168.255.255 or 192.168.0.0/16

IANA has also assigned the “FC00::/7” prefix, called Unique Local Unicast, to private IPv6 addresses.

When deciding whether to use private addresses, consult with your Internet Service Provider or datacenter about subnets you can use.

Configurations
*The information described below are for CentOS 6.

In order to determine whether the your commands will be executed on the external or internal interface, you can use the following command:

# ifconfig ethX
# route -n OR  # netstat -rn
NOTE: ethX is the name of the Ethernet device to work on.

The internal interface will use the private address space and the external or public interface will be on the same subnet as the default gateway.

You can use the command below to check if link is up and to check network port speed:

# ethtool ethX

Each installed network adapter has a corresponding ifcfg-* file in /etc/sysconfig/network-scripts. To set up your private network configurations, use your text editor to edit or create files as follows:

ifcfg-ethX OR  use command-line text-based GUI tool to go to system-config-network
# vi /etc/sysconfig/network-scripts/ifcfg-ethX

  • First Ethernet card configuration file, which is often used for public interface: /etc/sysconfig/network-scripts/ifcfg-eth0
  • Second Ethernet card configuration file, which you are planning to use for your private network: /etc/sysconfig/network-scripts/ifcfg-eth1

Note: Most Linux kernels mark Ethernet devices as ethX, where ‘X’ is the number of the physical Ethernet interface, which starts at 0. The order however, may depend on how the OS sees the network card, i.e. how it is physically connected and configured (e.g. the first Ethernet device could be ‘eth1’ while the second is ‘eth0’).

To edit or modify the static IP configuration:

/etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=static
DHCPCLASS=
HWADDR=00:30:48:56:A6:2E
IPADDR=192.168.100.5
NETMASK=255.255.255.0
ONBOOT=yes

Note: Make sure to specify your secondary (private) interface name as ‘DEVICE= directive’.

Save and close the file. Finally, use the following command to restart the network service:

# /sbin/service network restart

There are several ways you can check for connectivity and communication within your private network:

  • To ensure that all the hosts are in the private network, ping them between themselves at their private IPs
  • # ping <PRIVATE-IP-address>

  • Use the arping command to find your private network’s neighbor hosts
  • # arping -I ethX <PRIVATE-IP-address>

  • Use the traceroute command from one node to another, utilizing the configured private IPs, to make sure that the router in the middle is not showing up
  • # traceroute <PRIVATE-IP-address>

If your host comes with a host-based firewall called iptables/netfilter, you need to configure it so that it allows private networking and some needed services:

# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j ACCEPT

Optional: You can opt to drop private network addresses on the public interface:

# iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
# iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP

Lastly, save your rules so that they are automatically reloaded the next time you reboot:

# /sbin/service iptables save

Make sure public services, such as DNS, SMTP, and SSH, are listening to public IP addresses or to “ .0.0.0″ for all addresses on the system. Other the other hand, private services such as NFS and PostgreSQL should only be listening on private IPs. Use the following command to see what services are listening to which addresses:

# netstat -nap -A inet -A inet6

Setting Up NFS in a Private Network

We will use a scenario as an example to demonstrate how to set up an NFS in a private network. In this example, the plan is to export the file system from the IP address 10.1.1.50 (the NFS server) host and then mount it on an a host with the IP address 10.1.1.55 (the NFS client). Both the NFS server and client are running Ubuntu Linux.

To set up the NFS Server, you can use one of the listed options below:

/home/nfs/ 10.1.1.55(rw,sync) export /home/nfs directory to host (IP address 10.1.1.55) with read-write permissions and in synchronized mode
/home/nfs/ 10.1.1.55 (rw,sync,no_root_squash) export /home/nfs directory to host (IP address 10.1.1.55) with read-write permissions, in synchronized mode, and the remote root user has root privilege to change any file and directory
/home/nfs/ *(ro,sync) export /home/nfs directory for any host with read-only permissions and in synchronized mode

After setting up the NFS server, make an entry in /etc/exports and restart the services so that the directory is shareable in the network:

# vi /etc/exports
/home/nfs/ *(ro,sync)

In example above, the /home/nfs directory is shared to any host with read-only permissions and in synchronized mode.

To set up the NFS client, mount the shared directories on the NFS client:

# mkdir /home/nfs_local
# mount -t nfs 10.1.1.50:/home/nfs /home/nfs_local

To test if the NFS setup is working:

On the NFS server
# touch /home/nfs/nfs-test-file

On the NFS client
# ls /home/nfs_local/
nfs-test-file

Enabling Remote Access to PostgreSQL DB Server

By default, remote access to the PostgreSQL database server is disabled for security reasons. There may be times though when you would need remote access to the database server from a private-network computer or from the web server.

Edit the file # vi /var/lib/pgsql/data/pg_hba.conf by appending the following line to give access to the ‘10.10.29.0/24’ network:

host all all 10.10.29.0/24 trust
Note: Replace the ‘10.10.29.0/24’ with the actual network IP address range of the client systems in your own network

Save and close this file.
To enable networking for PostgreSQL:

# vi /var/lib/pgsql/data/postgresql.conf
listen_addresses='private-ip-address'
# /etc/init.d/postgresql restart

To ensure that iptables is not blocking communication, open port 5432 and append rules to your iptables scripts or to file /etc/sysconfig/iptables.

See our Knowledgebase for more How-To articles.

Comments are closed.