Recently I've managed to block all unused ports on my dedicated server (Linux CentOS latest 64-bit) but whenever I do so, sites that connect to my database just simply cannot connect.
iptables -A INPUT -i lo -p tcp --dport 3306 -j ACCEPT
iptables -A OUTPUT -o lo -p tcp --sport 3306 -j ACCEPT
I believe it has something to do with the OUTPUT port, but I am not sure.
Thanks.
If you want to allow remote incoming mysql connections you will need to define an INPUT rule that is not isolated to your local interface:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
In Centos this will be defined in the /etc/sysconfig/iptables file. Then restart:
sudo service iptables restart
Alternatively, from the command line, you can use:
sudo system-config-firewall-tui
To configure your firewall, it is in the package of the same name:
sudo yum install system-config-firewall-tui -y
Related
We have installed samba4 on ubuntu 18.04 server and we are getting DNS error
Issue in DNS
Please find the /etc/resolv.conf file
resolv.conf
Please find the /etc/samba/smb.conf
smb.conf file
Please help me to resolve the issue
Thanks
I think you should allow the trafic in firewall with these :
iptables -A INPUT -p tcp --dport 135 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 135 -j ACCEPT
iptables -A INPUT -p udp --dport 135 -j ACCEPT
iptables -A OUTPUT -p udp --dport 135 -j ACCEPT
tho if you dont add
browseable = yes
you may not see the shared files
I'm trying to open tcp and udp port 7774 on google cloud VM instance without results.
I'm sure that my server is using this network. For example, the ssh port is opened, rdp port also should be opened but i can't communicate with the server on this port, the same situation is with 7774 port, i have to setup something which needs this port to communicate, but i don't know how.
I also added rules to iptables:
iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport 7774 -j ACCEPT
iptables -A INPUT -p udp -d 0/0 -s 0/0 --dport 7774 -j ACCEPT
Without any results.
I'm trying to make MySQL available by 2 ports: 3306 and 3339
I added rule to iptables:
iptables -t nat -A PREROUTING -i bond0 -p tcp --dport 3339 -j REDIRECT
--to-port 3306
and everythin is great for remote connections.
But if I'm trying to connect it locally, I'm getting an error:
mysql -u username -ppassword --port=3339 -h Host.Name
ERROR 2003 (HY000): Can't connect to MySQL server on 'Host.Name' (111)
Any ideas how can I edit iptables to get local access via 3339 port?
Since PREROUTING isn't used by the loopback interface we have to add one more rule:
iptables -t nat -I OUTPUT -p tcp -o lo --dport 3339 -j REDIRECT --to-ports 3306
I want to whitelist 2 external ip-adresses vor port 3306 (mysql), but block all other IP-adresses to the port 3306 on a debian server running a mysql-instance. Both external ip-adresses should be able to connect to the mysql-server.
What is the best way in iptables?
What i did:
/sbin/iptables -A INPUT -p tcp -d 127.0.0.1 --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 1.1.1.1.1 --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 85.x.x.x --dport 3306 -j ACCEPT
(1.1.1.1 is an internal ip and masked here for security purposes)
## Block all connections to 3306 ##
/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP
What happened:
every external ip is locked and can't connect
What should happen:
every external ip will be locked cand can't connect but not 1.1.1.1 and 85.x.x.x and 127.0.0.1
iptables -N mysql # create chain for mysql
iptables -A mysql --src 127.0.0.1 -j ACCEPT
iptables -A mysql --src 1.1.1.1.1 -j ACCEPT
iptables -A mysql --src 85.x.x.x -j ACCEPT
iptables -A mysql -j DROP # drop packets from other hosts
iptables -I INPUT -m tcp -p tcp --dport 3306 -j mysql # use chain for packets to MySQL port
I am trying to restrict MySQL 3306 port on a linux machine from making any connections to anything other than localhost to prevent outside attacks. i have the following code, i am not sure if it's correct:
iptables -A INPUT -p tcp -s localhost --dport 3306 -j ACCEPT
iptables -A OUTPUT -p tcp -s localhost --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
iptables -A OUTPUT -p tcp --dport 3306 -j DROP
my other question is - is it correct to only give localhost access? this is a standard dedicated centos webserver with more than 30 domains on it.
Why not just turn off networking with MySQL?
Add to my.cnf:
skip-networking
It's supposed to also give a negligible performance improvement by forcing connection through pipes, which skips over lots of tests used for the networking section. Please note you will need to use localhost, not 127.0.0.1, after the change.
iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
The above rule is for converting two lines into single one.
Answer to your second question:
If you do not want to provide mysql access from other than localhost, then it is perfect to configure this way. Simple. :-)
iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
If you want to remove the filtering, use this:
iptables -D INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -D INPUT -p tcp --dport 3306 -j DROP
Note: Both might require root, so: sudo iptables (...)