Goodday,
I have a centos 7 machine that is going to be a webserver and a teamspeak server at the same time. I have configured the iptables correctly for my webserver: Nginx and Mariadb are available to the designated ports. Now I have my teamspeak 3 server installed but it cannot contact the Mysql (Mariadb) database on the same machine. I dont know what iptable entry I should add to make it contact it.
These are my iptable rules:
//Fresh start
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
//SSH
iptables -A INPUT -p tcp -s <ADMIN IP> --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
//allow rpm and stuff
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
//HTTP(S) Webserver
iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
//MariaDB Mysql
iptables -A INPUT -p tcp -s <ADMIN IP> --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
//Teamspeak
iptables -A INPUT -p udp --dport 9987 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 9987 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 2008 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2008 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 30033 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 30033 -m state --state ESTABLISHED -j ACCEPT
//save & reboot
service iptables save
systemctl restart iptables
What entry am I missing to make it work? The logs of teamspeak cleary say it cannot connect to 127.0.0.1 and when I turn off iptables everything works so it has to be something I am missing. I also dont want to do a global loopback entry!
Add the following to your //MariaDB MySQL rule
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
iptables -A OUTPUT -p tcp -d 127.0.0.1 --sport 3306 ! --syn -j ACCEPT
Related
We have installed samba4 on ubuntu 18.04 server and we are getting DNS error
Issue in DNS
Please find the /etc/resolv.conf file
resolv.conf
Please find the /etc/samba/smb.conf
smb.conf file
Please help me to resolve the issue
Thanks
I think you should allow the trafic in firewall with these :
iptables -A INPUT -p tcp --dport 135 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 135 -j ACCEPT
iptables -A INPUT -p udp --dport 135 -j ACCEPT
iptables -A OUTPUT -p udp --dport 135 -j ACCEPT
tho if you dont add
browseable = yes
you may not see the shared files
I'm trying to make MySQL available by 2 ports: 3306 and 3339
I added rule to iptables:
iptables -t nat -A PREROUTING -i bond0 -p tcp --dport 3339 -j REDIRECT
--to-port 3306
and everythin is great for remote connections.
But if I'm trying to connect it locally, I'm getting an error:
mysql -u username -ppassword --port=3339 -h Host.Name
ERROR 2003 (HY000): Can't connect to MySQL server on 'Host.Name' (111)
Any ideas how can I edit iptables to get local access via 3339 port?
Since PREROUTING isn't used by the loopback interface we have to add one more rule:
iptables -t nat -I OUTPUT -p tcp -o lo --dport 3339 -j REDIRECT --to-ports 3306
Recently I've managed to block all unused ports on my dedicated server (Linux CentOS latest 64-bit) but whenever I do so, sites that connect to my database just simply cannot connect.
iptables -A INPUT -i lo -p tcp --dport 3306 -j ACCEPT
iptables -A OUTPUT -o lo -p tcp --sport 3306 -j ACCEPT
I believe it has something to do with the OUTPUT port, but I am not sure.
Thanks.
If you want to allow remote incoming mysql connections you will need to define an INPUT rule that is not isolated to your local interface:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
In Centos this will be defined in the /etc/sysconfig/iptables file. Then restart:
sudo service iptables restart
Alternatively, from the command line, you can use:
sudo system-config-firewall-tui
To configure your firewall, it is in the package of the same name:
sudo yum install system-config-firewall-tui -y
I want to whitelist 2 external ip-adresses vor port 3306 (mysql), but block all other IP-adresses to the port 3306 on a debian server running a mysql-instance. Both external ip-adresses should be able to connect to the mysql-server.
What is the best way in iptables?
What i did:
/sbin/iptables -A INPUT -p tcp -d 127.0.0.1 --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 1.1.1.1.1 --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 85.x.x.x --dport 3306 -j ACCEPT
(1.1.1.1 is an internal ip and masked here for security purposes)
## Block all connections to 3306 ##
/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP
What happened:
every external ip is locked and can't connect
What should happen:
every external ip will be locked cand can't connect but not 1.1.1.1 and 85.x.x.x and 127.0.0.1
iptables -N mysql # create chain for mysql
iptables -A mysql --src 127.0.0.1 -j ACCEPT
iptables -A mysql --src 1.1.1.1.1 -j ACCEPT
iptables -A mysql --src 85.x.x.x -j ACCEPT
iptables -A mysql -j DROP # drop packets from other hosts
iptables -I INPUT -m tcp -p tcp --dport 3306 -j mysql # use chain for packets to MySQL port
I am trying to restrict MySQL 3306 port on a linux machine from making any connections to anything other than localhost to prevent outside attacks. i have the following code, i am not sure if it's correct:
iptables -A INPUT -p tcp -s localhost --dport 3306 -j ACCEPT
iptables -A OUTPUT -p tcp -s localhost --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
iptables -A OUTPUT -p tcp --dport 3306 -j DROP
my other question is - is it correct to only give localhost access? this is a standard dedicated centos webserver with more than 30 domains on it.
Why not just turn off networking with MySQL?
Add to my.cnf:
skip-networking
It's supposed to also give a negligible performance improvement by forcing connection through pipes, which skips over lots of tests used for the networking section. Please note you will need to use localhost, not 127.0.0.1, after the change.
iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
The above rule is for converting two lines into single one.
Answer to your second question:
If you do not want to provide mysql access from other than localhost, then it is perfect to configure this way. Simple. :-)
iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
If you want to remove the filtering, use this:
iptables -D INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -D INPUT -p tcp --dport 3306 -j DROP
Note: Both might require root, so: sudo iptables (...)