Linode Forum :: [SOLVED] local ip and iptables

Linode Forum https://forum.linode.com/

[SOLVED] local ip and iptables - open mysql https://forum.linode.com/viewtopic.php?f=19&t=3668	Page 1 of 1

Author:

nateleavitt [ Tue Nov 18, 2008 3:33 pm ]

Post subject:

[SOLVED] local ip and iptables - open mysql

Hey guys! I'm trying to get some database replication working across linodes using the local ip addresses. For some reason I can't get the mysql port open for local network address.

Here is my nmap scan at my local address:

Code:

Not shown: 1711 filtered ports
PORT     STATE  SERVICE
80/tcp   open   http
443/tcp  closed https
3306/tcp closed mysql

Here is my iptable script:

Code:

*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOG_DROP - [0:0]
:LOG_ACCEPT - [0:0]
:icmp_packets - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7337 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 3306 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG_DROP

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9418 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j LOG_DROP
COMMIT

And here is my ifconfig: (i changed the local & public address to end with 123)

Code:

eth0      Link encap:Ethernet  HWaddr fe:fd:48:0e:b3:4b  
          inet addr:72.14.179.123  Bcast:72.14.179.255  Mask:255.255.255.0
          inet6 addr: fe80::fcfd:48ff:fe0e:b34b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:279707 errors:0 dropped:0 overruns:0 frame:0
          TX packets:68914 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:37406169 (35.6 MB)  TX bytes:44425519 (42.3 MB)

eth1      Link encap:Ethernet  HWaddr fe:fe:c0:a8:87:97  
          inet addr:192.168.135.123  Bcast:192.168.255.255  Mask:255.255.128.0
          inet6 addr: fe80::fcfe:c0ff:fea8:8797/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18727 errors:0 dropped:0 overruns:0 frame:0
          TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1736287 (1.6 MB)  TX bytes:3898 (3.8 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:12188 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12188 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:656956 (641.5 KB)  TX bytes:656956 (641.5 KB)

I have edited my.conf to include the bind address of: 192.168.135.123.

Any help or pointers would be much appreciated.

Author:	Internat [ Tue Nov 18, 2008 5:27 pm ]
Post subject:
i assume you restarted mysql after you bound it to the ip right? and that you removed the, option for skip-local-networking? or skip-networking? i cant remember the exact one

Author:	Xan [ Tue Nov 18, 2008 11:36 pm ]
Post subject:
The more recent MySQL releases use: Code: bind-address=127.0.0.1 in the config file by default. Change this from the local IP to the one you'd like to use.

Author:	hybinet [ Wed Nov 19, 2008 1:06 am ]
Post subject:
Xan wrote: The more recent MySQL releases use: Code: bind-address=127.0.0.1 in the config file by default. Change this from the local IP to the one you'd like to use. That will probably prevent MySQL from being accessible from localhost. In addition, I don't think it's currently possible to make MySQL bind to only two interfaces. (i.e. You can't have two "bind-address" directives.) MySQL binds either to only one interface or to all available interfaces. So just comment out the whole "bind-address" line in my.cnf. That'll make MySQL bind to all interfaces. Then you can use your firewall to make port 3306 only accessible from your other server.

Author:	Xan [ Wed Nov 19, 2008 1:13 am ]
Post subject:
It'll still be accessible via the Unix socket, so the command-line client will still work fine.

Author:	MrRx7 [ Wed Nov 19, 2008 5:57 am ]
Post subject:
Like previously mentioned your best bet is to comment out the bind to ip address option and just firewall to only allow inbound connects to 3306 from the ip address of your other server. Also make sure any sql accounts with the host of '%' are password protected.

Author:	nateleavitt [ Wed Nov 19, 2008 12:28 pm ]
Post subject:
hybinet wrote: Xan wrote: The more recent MySQL releases use: Code: bind-address=127.0.0.1 in the config file by default. Change this from the local IP to the one you'd like to use. That will probably prevent MySQL from being accessible from localhost. In addition, I don't think it's currently possible to make MySQL bind to only two interfaces. (i.e. You can't have two "bind-address" directives.) MySQL binds either to only one interface or to all available interfaces. So just comment out the whole "bind-address" line in my.cnf. That'll make MySQL bind to all interfaces. Then you can use your firewall to make port 3306 only accessible from your other server. right now I have Code: bind-address=127.0.0.1 192.168.135.123 I thought you could bind multiple addresses. I'll try removing it to see if that would work.

Author:	nateleavitt [ Wed Nov 19, 2008 12:45 pm ]
Post subject:
ok guys... I removed the bind-address and it's now open! I just added the following rule to only open port 3306 for the local network interface: Code: -A INPUT -i eth1 -p tcp -m tcp --dport 3306 -j ACCEPT Thanks for the suggestions guys!

Author:	MrRx7 [ Thu Nov 20, 2008 3:20 am ]
Post subject:
nateleavitt wrote: ok guys... I removed the bind-address and it's now open! I just added the following rule to only open port 3306 for the local network interface: Code: -A INPUT -i eth1 -p tcp -m tcp --dport 3306 -j ACCEPT Thanks for the suggestions guys! glad you got it working, however just because you have restricted traffic to the internal network within the data center does not mean you are safe. I would still suggest limiting your firewall down to the specific ip address of your other server. for example: Code: -A INPUT -p TCP -s xx.xx.xx.xx --destination-port 3306 -j ACCEPT

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/