[SOLVED] local ip and iptables - open mysql
Here is my nmap scan at my local address:
Not shown: 1711 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp closed https
3306/tcp closed mysql
Here is my iptable script:
*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOG_DROP - [0:0]
:LOG_ACCEPT - [0:0]
:icmp_packets - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7337 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 3306 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG_DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9418 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j LOG_DROP
COMMIT
And here is my ifconfig: (i changed the local & public address to end with 123)
eth0 Link encap:Ethernet HWaddr fe:fd:48:0e:b3:4b
inet addr:72.14.179.123 Bcast:72.14.179.255 Mask:255.255.255.0
inet6 addr: fe80::fcfd:48ff:fe0e:b34b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:279707 errors:0 dropped:0 overruns:0 frame:0
TX packets:68914 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:37406169 (35.6 MB) TX bytes:44425519 (42.3 MB)
eth1 Link encap:Ethernet HWaddr fe:fe:c0:a8:87:97
inet addr:192.168.135.123 Bcast:192.168.255.255 Mask:255.255.128.0
inet6 addr: fe80::fcfe:c0ff:fea8:8797/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18727 errors:0 dropped:0 overruns:0 frame:0
TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1736287 (1.6 MB) TX bytes:3898 (3.8 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12188 errors:0 dropped:0 overruns:0 frame:0
TX packets:12188 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:656956 (641.5 KB) TX bytes:656956 (641.5 KB)
I have edited my.conf to include the bind address of: 192.168.135.123.
Any help or pointers would be much appreciated.
8 Replies
and that you removed the, option for skip-local-networking? or skip-networking? i cant remember the exact one
bind-address=127.0.0.1
in the config file by default. Change this from the local IP to the one you'd like to use.
@Xan:
The more recent MySQL releases use:
bind-address=127.0.0.1
in the config file by default. Change this from the local IP to the one you'd like to use.
That will probably prevent MySQL from being accessible from localhost. In addition, I don't think it's currently possible to make MySQL bind to only two interfaces. (i.e. You can't have two "bind-address" directives.) MySQL binds either to only one interface or to all available interfaces.
So just comment out the whole "bind-address" line in my.cnf. That'll make MySQL bind to all interfaces. Then you can use your firewall to make port 3306 only accessible from your other server.
Also make sure any sql accounts with the host of '%' are password protected.
@hybinet:
@Xan:The more recent MySQL releases use:
bind-address=127.0.0.1
in the config file by default. Change this from the local IP to the one you'd like to use.
That will probably prevent MySQL from being accessible from localhost. In addition, I don't think it's currently possible to make MySQL bind to only two interfaces. (i.e. You can't have two "bind-address" directives.) MySQL binds either to only one interface or to all available interfaces.
So just comment out the whole "bind-address" line in my.cnf. That'll make MySQL bind to all interfaces. Then you can use your firewall to make port 3306 only accessible from your other server.
right now I have
bind-address=127.0.0.1 192.168.135.123
I thought you could bind multiple addresses. I'll try removing it to see if that would work.
I removed the bind-address and it's now open! I just added the following rule to only open port 3306 for the local network interface:
-A INPUT -i eth1 -p tcp -m tcp --dport 3306 -j ACCEPT
Thanks for the suggestions guys!
@nateleavitt:
ok guys…
I removed the bind-address and it's now open! I just added the following rule to only open port 3306 for the local network interface:
-A INPUT -i eth1 -p tcp -m tcp --dport 3306 -j ACCEPT
Thanks for the suggestions guys!
glad you got it working, however just because you have restricted traffic to the internal network within the data center does not mean you are safe. I would still suggest limiting your firewall down to the specific ip address of your other server.
for example:
-A INPUT -p TCP -s xx.xx.xx.xx --destination-port 3306 -j ACCEPT