
Droplan: Manage iptable rules for the private interface on DigitalOcean droplets - mreithub
https://github.com/tam7t/droplan/
======
mreithub
I don't know if it's well known, but the so called 'private' interfaces DO
offers aren't really private. Any other machine in the same datacenter can
access your services.

So if you have a redis/mongo/... server listening in your 'private' network,
I'd suggest you secure your internal services using a firewall (and droplan is
a pretty simple tool to do so automatically)

------
LinuxBender
Have you considered using ipset so that rules don't have to change and ip's
can by dynamically added/removed?

~~~
mreithub
Hadn't heard of ipset before, but yeah, that seems to be a cleaner way to do
this. Maybe open a feature request?

From what I can tell, there are still a few minor details to be etched out in
droplan (e.g. running as background service to avoid rewriting the rules every
time, ...), but it seems to do its job reasonably well (been using it for
roughly two months now

I'm not affiliated with the project (I only did a PR once involving the
Dockerfile).

