[SOLVED] local ip and iptables - open mysql

Hey guys! I'm trying to get some database replication working across linodes using the local ip addresses. For some reason I can't get the mysql port open for local network address.

Here is my nmap scan at my local address:

Not shown: 1711 filtered ports
PORT     STATE  SERVICE
80/tcp   open   http
443/tcp  closed https
3306/tcp closed mysql

Here is my iptable script:

*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOG_DROP - [0:0]
:LOG_ACCEPT - [0:0]
:icmp_packets - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7337 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 3306 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG_DROP

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9418 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j LOG_DROP
COMMIT

And here is my ifconfig: (i changed the local & public address to end with 123)

eth0      Link encap:Ethernet  HWaddr fe:fd:48:0e:b3:4b  
          inet addr:72.14.179.123  Bcast:72.14.179.255  Mask:255.255.255.0
          inet6 addr: fe80::fcfd:48ff:fe0e:b34b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:279707 errors:0 dropped:0 overruns:0 frame:0
          TX packets:68914 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:37406169 (35.6 MB)  TX bytes:44425519 (42.3 MB)

eth1      Link encap:Ethernet  HWaddr fe:fe:c0:a8:87:97  
          inet addr:192.168.135.123  Bcast:192.168.255.255  Mask:255.255.128.0
          inet6 addr: fe80::fcfe:c0ff:fea8:8797/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18727 errors:0 dropped:0 overruns:0 frame:0
          TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1736287 (1.6 MB)  TX bytes:3898 (3.8 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:12188 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12188 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:656956 (641.5 KB)  TX bytes:656956 (641.5 KB)

I have edited my.conf to include the bind address of: 192.168.135.123.

Any help or pointers would be much appreciated.

8 Replies

i assume you restarted mysql after you bound it to the ip right?

and that you removed the, option for skip-local-networking? or skip-networking? i cant remember the exact one

The more recent MySQL releases use:

bind-address=127.0.0.1

in the config file by default. Change this from the local IP to the one you'd like to use.

@Xan:

The more recent MySQL releases use:

bind-address=127.0.0.1

in the config file by default. Change this from the local IP to the one you'd like to use.

That will probably prevent MySQL from being accessible from localhost. In addition, I don't think it's currently possible to make MySQL bind to only two interfaces. (i.e. You can't have two "bind-address" directives.) MySQL binds either to only one interface or to all available interfaces.

So just comment out the whole "bind-address" line in my.cnf. That'll make MySQL bind to all interfaces. Then you can use your firewall to make port 3306 only accessible from your other server.

It'll still be accessible via the Unix socket, so the command-line client will still work fine.

Like previously mentioned your best bet is to comment out the bind to ip address option and just firewall to only allow inbound connects to 3306 from the ip address of your other server.

Also make sure any sql accounts with the host of '%' are password protected.

@hybinet:

@Xan:

The more recent MySQL releases use:

bind-address=127.0.0.1

in the config file by default. Change this from the local IP to the one you'd like to use.

That will probably prevent MySQL from being accessible from localhost. In addition, I don't think it's currently possible to make MySQL bind to only two interfaces. (i.e. You can't have two "bind-address" directives.) MySQL binds either to only one interface or to all available interfaces.

So just comment out the whole "bind-address" line in my.cnf. That'll make MySQL bind to all interfaces. Then you can use your firewall to make port 3306 only accessible from your other server.

right now I have

bind-address=127.0.0.1 192.168.135.123

I thought you could bind multiple addresses. I'll try removing it to see if that would work.

ok guys…

I removed the bind-address and it's now open! I just added the following rule to only open port 3306 for the local network interface:

-A INPUT -i eth1 -p tcp -m tcp --dport 3306 -j ACCEPT

Thanks for the suggestions guys!

@nateleavitt:

ok guys…

I removed the bind-address and it's now open! I just added the following rule to only open port 3306 for the local network interface:

-A INPUT -i eth1 -p tcp -m tcp --dport 3306 -j ACCEPT

Thanks for the suggestions guys!

glad you got it working, however just because you have restricted traffic to the internal network within the data center does not mean you are safe. I would still suggest limiting your firewall down to the specific ip address of your other server.

for example:

-A INPUT -p TCP -s xx.xx.xx.xx --destination-port 3306 -j ACCEPT

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct