CentOS 5.4, with IP tables stopped, I can do it. What's the line I need to add to IPtables so I can keep it on and have remote (domain) access to the mysql databases?
my current table:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.0.1.1/24 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.0.1.1/24 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.0.1.1/24 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.0.1.1/24 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.0.1.1/24 -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
-
Try this:
iptables -A INPUT -p tcp --destination-port 3306 -j ACCEPTbindbn : for a specific address ip address: iptables -A INPUT -p tcp --dport 3306 -s IP_ADDRESS -j ACCEPTDetritus Maximus : @bindbn: it didn't work. I added my iptables to my original post if it helps. Hmmm, when I enter your command at the prompt and then look at the table, it does not appear to be adding/changing anything???MadHatter : The file you have included is /etc/sysconfig/iptables, which configures the firewall at boot (strictly, at iptables service start) time. It does not change as you add or delete rules from the running firewall. "iptables -L -n -v" will tell you the state of the current, running firewall.From Steven Monai -
Try
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306 -j ACCEPTThis article also gives information on how to further restrict access to the mysql port.
From Iain -
Depending on how your firewall is set up currently, you will optionally need the outgoing one and you also may need to fiddle with the order of the rules so that these come before any blanket REJECT or DROP rules you might already have.
# for incoming iptables -A INPUT -i eth0 -p tcp --dport 3306 -j ACCEPT # for outgoing iptables -A OUTPUT -i eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
Detritus Maximus : @mark: I edited my original post after seeing your answer. Does that change your response?From mark -
Just using "-A" adds the rule to the end of the chain, and as mark suggested, this will put the mysql ACCEPT after the blanket REJECT; no packet will ever get to it.
You can either edit the /etc/sysconfig/iptables file to add the line
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPTimmediately after the line
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPTand then restart the iptables service, or you could manually do it with
iptables -I RH-Firewall-1-INPUT 11 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPTwhich will put it in the same place, but need to be done after each reboot.
Detritus Maximus : You rock! It worked. I was a bit nervous when you said "but need to be done after each reboot," but I guessed you meant restart. Anyway, it worked after manual edit and service iptables restart. Thanks.Iain : To avoid having to add the rule after each reboot do `sudo service iptables save`.From MadHatter
0 comments:
Post a Comment