Solved

Server Migration

Posted on 2004-03-24
2
312 Views
Last Modified: 2008-02-26
Hi everyone.  I am migrating my server which serves apache,bind,qmail,ftp and mysql and also works as a router for the internal network. It uses 3 statis public IPs (2 for DNS and 1 for the rest).
I am moving to another place and the new internet provider gave me new IPs. It's very important the services the server provides don't suffer any downtime so I have to replace the server (server2) for an identical server (server2) which will work in the indentical way while I get to work the server1 in the new place with the new IPs (it should be no longer than 2 hours). So far so good but after that I have to ask the NIC people to update both of my DNS servers IPs. So while they do than and the propagation takes place and everything I have to forward all the requests to the old IPs (server2) to the new IPs (server1) and still the server2 have to keep working as a router for the internal network. How do I do that?

Here's the iptables script I am using now:

#!/bin/sh
# iptables, by Technion
# $Id: iptables,v 1.27 2002/04/25 07:56:24 technion Exp $
# chkconfig: 2345 08 80
# description: Script for setting IPTABLES rules
# processname: iptables


# Is this script to be run on Red Hat Linux?  If not, set to "NO"
REDHAT="YES"

# Network information you will need to adjust
INTERNALIF="eth1"
INTERNALNET="192.168.3.0/24"
INTERNALBCAST="192.168.3.255"
EXTERNALIF="eth0"
MYADDR="x.x.x.x"      # Only needed for DNAT, leave out otherwise
MYSQLSRV="x.x.x.x"

# Pathnames
DMESG="/bin/dmesg"
IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"


# This is a batch of Red Hat Linux-specific commands
# that enable a user to call the script with a start/stop/restart
# argument.
if [ X"$REDHAT" = X"YES" ]; then
      . /etc/rc.d/init.d/functions
      case "$1" in
            stop)
                  action "Shutting down firewall:" echo
                  $IPTABLES -F
                  $IPTABLES -P FORWARD DROP
                  ;;
            status)
                  echo "The status command is not supported for iptables"
                  ;;
            restart|reload)
                  $0 stop
                  $0 start
                  ;;
            start)
                  action "Starting Firewall:" echo
                        ;;
                *)
                        echo "Usage: firewall (start|stop|restart)"
                        exit 1
        esac
fi


################################################################
#Insert modules- should be done automatically if needed
dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
#
## Flush everything, start from scratch
#
# Incoming packets from the outside network
$IPTABLES -F INPUT
# Outgoing packets from the internal network
$IPTABLES -F OUTPUT
# Forwarding/masquerading
$IPTABLES -F FORWARD
#Nat table
$IPTABLES -t nat -F
##Setup sysctl controls which affect tcp/ip
 
#
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to broadcast pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Defragment all Packets
#Default now

#Enable forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward

#Block source routing
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps.  These have been the subject of a recent bugtraq thread
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Allow dynamic ip addresses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#Log martians (packets with impossible addresses)
#RiVaL said that certain NICs don't like this.  Comment out if necessary.
echo 1 >/proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo "32768 61000" >/proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog


##Set basic rules
#
#Note that unlike ipchains, rules passing through a FORWARD chain do NOT
#also have to pass through an INPUT chain.

#Kill ANY stupid packets, including
#-Packets that are too short to have a full ICMP/UDP/TCP header
#- TCP and UDP packets with zero (illegal) source and destination ports
#-Illegal combinations of TCP flags
#-Zero-length (illegal) or over-length TCP and IP options,
#      or options after the END-OF-OPTIONS option
#-Fragments of illegal length or offset (e.g., Ping of Death).
#Above list ripped from http://www.linux-mag.com/2000-01/bestdefense_02.html

#This has been found to be a little buggy.  Removed for now.
#$IPTABLES -A INPUT -m unclean -j DROP
#$IPTABLES -A FORWARD -m unclean -j DROP

#Kill invalid packets (illegal combinations of flags)
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP


# Allow all connections on the internal interface
#

$IPTABLES -A INPUT -i lo -j ACCEPT

#Kill connections to the local interface from the outside world.
$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT


#Allow unlimited traffic from internal network using legit addresses
$IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT
#
#Allow IPV6 tunnel traffic
#$IPTABLES -A INPUT -p ipv6 -j ACCEPT

#Allow IPSEC tunnel traffic
#$IPTABLES -A INPUT -p 50 -j ACCEPT
#Allow all traffic from the ipsec device to the internal network
#$IPTABLES -A FORWARD -i ipsec0 -o $INTERNALIF -j ACCEPT

# MYSQL forwarding
$IPTABLES -A INPUT -p tcp --dport 3306 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 3306 --dport 10061 -o $INTERNALIF -j ACCEPT

$IPTABLES -A FORWARD -i $INTERNALIF -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $MYSQLSRV --dport 3306 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $EXTERNALIF -j SNAT --to-source $MYADDR
$IPTABLES -t nat -A PREROUTING -p tcp --dport 3306 -i $EXTERNALIF -j DNAT --to-destination $MYSQLSVR:3306



#Kill anything from outside claiming to be from internal network
$IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT

##ICMP
#ping don't forward pings going inside
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT
#ping flood protection
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
#Deny icmp to broadcast address
$IPTABLES -A INPUT -p icmp -d $INTERNALBCAST -j DROP

#Allow all other icmp
$IPTABLES -A INPUT -p icmp -j ACCEPT

##Allow established connections
#Unlike ipchains, we don't have to go through the business of allowing
#a local port range- just allow all connections already established.

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Note that unlike ipchains, the following must be enabled even with masquerading
#Don't forward SMB related traffic
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 139 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 139 -j REJECT

$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 137 -j REJECT

#Allow ALL other forwarding going out
$IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT

#Allow replies coming in

$IPTABLES -A FORWARD -i $EXTERNALIF -m state --state ESTABLISHED,RELATED -j ACCEPT


#Whack allowances
#Allow DHCP- Optus users need this
#$IPTABLES -A INPUT -p udp -d 255.255.255.255 --dport 68 -j ACCEPT

#Allow nameserver packets.  Different versions of iptables seem to error here.
#Comment out if necessary.

#cat /etc/resolv.conf | \
#awk '/^nameserver/ {print $2}' | \
#xargs -n1 $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT -s

#Allow Telstra hearbeat
#This section is propz to Defed
#$IPTABLES -A INPUT -p udp --sport 5050 -j ACCEPT
#$IPTABLES -A INPUT -p udp --sport 5051 -j ACCEPT

#From here on, we're dealing with connection attempts.
#The -m limit is a DoS protection on connects
#First we allow a certain amount of connections per second
#DROP the rest (so we don't DoS ourself with rejections)
#We don't limit normal packets (!syn) by allowing the rest
##Basic services.  Uncomment to allow in.
# ftp-data
$IPTABLES -A INPUT -p tcp  --dport 20 -j ACCEPT
# ftp
$IPTABLES -A INPUT -p tcp  --dport 21 -j ACCEPT
# ssh
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#telnet
$IPTABLES -A INPUT -p tcp --dport 23 -j ACCEPT

# smtp  One per second limt -burst rate of ten
$IPTABLES -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s \
        --limit-burst 10 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 --syn -j DROP
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT

# DNS  
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
# http
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
# POP-3
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
# identd
$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
# https
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
#
##DNAT
#Modify addresses and uncomment to allow DNAT (port forwarding)

#Send web requests to an internal machine
#Send mail to an internal machine
#$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 80 \
#                      -j DNAT --to 192.168.1.10:80
#$IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.1.10 --dport 80 -j ACCEPT

#$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 25 \
#                      -j DNAT --to 192.168.1.10:25
#$IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.1.10 --dport 25 -j ACCEPT


##Some ports should be denied and logged.
$IPTABLES -A INPUT -p tcp --dport 6670 -m limit -j LOG \
                          --log-prefix "Firewalled packet: Deepthrt " 
$IPTABLES -A INPUT -p tcp --dport 6670 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6711 -m limit -j LOG \
                          --log-prefix "Firewalled packet: Sub7 " 
$IPTABLES -A INPUT -p tcp --dport 6711 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6712 -m limit -j LOG \
                          --log-prefix "Firewalled packet: Sub7 " 
$IPTABLES -A INPUT -p tcp --dport 6712 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6713 -m limit -j LOG \
                          --log-prefix "Firewalled packet: Sub7 " 
$IPTABLES -A INPUT -p tcp --dport 6713 -j DROP

$IPTABLES -A INPUT -p tcp --dport 12345 -m limit -j LOG \
                          --log-prefix "Firewalled packet: Netbus " 
$IPTABLES -A INPUT -p tcp --dport 12345 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12346 -m limit -j LOG \
                          --log-prefix "Firewalled packet: Netbus " 
$IPTABLES -A INPUT -p tcp --dport 12346 -j DROP
$IPTABLES -A INPUT -p tcp --dport 20034 -m limit -j LOG \
                          --log-prefix "Firewalled packet: Netbus " 
$IPTABLES -A INPUT -p tcp --dport 20034 -j DROP
$IPTABLES -A INPUT -p tcp --dport 31337 -m limit -j LOG \
                          --log-prefix "Firewalled packet: BO " 
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6000  -m limit -j LOG \
                          --log-prefix "Firewalled packet: XWin "
$IPTABLES -A INPUT -p tcp --dport 6000  -j DROP


#Traceroutes depend on finding a rejected port.  DROP the ones it uses

$IPTABLES -A INPUT -p udp --dport 33434:33523 -j DROP

#Don't log ident because it gets hit all the time eg connecting to an irc server
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT

#Don't log igmp.  Some people get too many of these
$IPTABLES -A INPUT -p igmp -j REJECT

#Don't log web or ssl because people surfing for long times lose connection
#tracking and cause the system to create a new one, flooding logs.
$IPTABLES -A INPUT -p tcp --dport 80 -j REJECT
$IPTABLES -A INPUT -p tcp --dport 443 -j REJECT

##Catch all rules.
#iptables reverts to these if it hasn't matched any of the previous rules.
#Log.  There's no point logging noise.  There's too much of it.
#Just log connection requests
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 5/minute -j LOG  \
      --log-prefix "Firewalled packet:"
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 5/minute -j LOG \
      --log-prefix "Firewalled packet:"
#Reject
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p all -j DROP

$IPTABLES -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p all -j DROP  

#Accept it anyway if it's only output
$IPTABLES -A OUTPUT -j ACCEPT

#Masquerade internal connections going out.
$IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE

$IPTABLES -P INPUT DROP

$IPTABLES -P FORWARD DROP

$IPTABLES -P OUTPUT DROP


exit 0
0
Comment
Question by:pwebonline
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 10690162
2 hours?
which services need to be routed from where to where?
0
 
LVL 3

Accepted Solution

by:
yhetti earned 500 total points
ID: 11185698
You might approach it differently.  Take a new machine and put it at the new location.  Get it working properly, then on the *original* machine, update the DNS entries to point to the new machine.  At that point, the registrar DNS info can be updated at your leisure with no downtime.  The only concern is syncing the data (rsync & mysql replication should work).

After a day or two when you're sure the DNS updates will have propogated, you can pull the original and swap out the "new" machine with maybe 10 seconds downtime while the ARP tables update.

0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question