Hi, I am running a mysql and http server. Now I would like to block all connections to mysql (tcp 3306). (Only connections from localhost to localhost are allowed). The http-port (tcp 80) should be reachable by everybody. So I made the following: #emty ip-table iptables --flush #accept everything from localhost to localhost iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT #block mysql (tcp 3306) iptables -A INPUT -p tcp --destination-port 3306 -j REJECT Well, connections from outside are blocked, BUT: 1) nmap says tcp/3306 (mysql) filtered 2) in my xconsole (and tty10) the following warning appears: <date> <time> <my-pc> mysqld-max[1156]: warning: can't get client address: Connection reset by peer Now would like to know, why does nmap know that the port is filtered? And why does mysql notices that there was a connectionrequest, althought it was blocked? Thx Markus
#emty ip-table iptables --flush
#accept everything from localhost to localhost iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT
#block mysql (tcp 3306) iptables -A INPUT -p tcp --destination-port 3306 -j REJECT
If you replace that 'REJECT' with 'DROP' then it should take care of your problems ... Reject will politely notify anybody connecting to that particular port that they're not allowed to do so ... DROP will do exacly what it says, just drop anything matching the rule. -Claus
Hi,
I am running a mysql and http server. Now I would like to block all connections to mysql (tcp 3306). (Only connections from localhost to localhost are allowed). The http-port (tcp 80) should be reachable by everybody. So I made the following:
#emty ip-table iptables --flush
#accept everything from localhost to localhost iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT
#block mysql (tcp 3306) iptables -A INPUT -p tcp --destination-port 3306 -j REJECT
Better "DROP" here!
Well, connections from outside are blocked, BUT: 1) nmap says tcp/3306 (mysql) filtered 2) in my xconsole (and tty10) the following warning appears: <date> <time> <my-pc> mysqld-max[1156]: warning: can't get client address: Connection reset by peer
Now would like to know, why does nmap know that the port is filtered? And why does mysql notices that there was a connectionrequest, althought it was blocked?
Thx Markus
Here is a script taken partly from SuSEfirewall2. You have problems because you REJECT and not DROP the connections. For better reading IPTABLES, DROP and ACCEPT are kept in variables. You can run this at bootup with a symlink in /etc/init.d/ to this script and an entry in the runlevel. firewallscript: #!/bin/bash DROP="DROP" ACCEPT="ACCEPT" IPTABLES="/usr/sbin/iptables" function set_basic_rules() { { rmmod ipfwadm; rmmod ipchains modprobe ip_tables; modprobe ip_conntrack; modprobe ip_conntrack_ftp modprobe ip_nat_ftp } > /dev/null 2>&1 $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD 2> /dev/null $IPTABLES -P INPUT "$DROP" $IPTABLES -P OUTPUT "$ACCEPT" $IPTABLES -P FORWARD "$DROP" 2> /dev/null $IPTABLES -F $IPTABLES -X # Special REJECT function # $IPTABLES -t nat -F $IPTABLES -t nat -X $IPTABLES -t mangle -F $IPTABLES -t mangle -X $IPTABLES -N reject_func $IPTABLES -A reject_func -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A reject_func -j REJECT --reject-with icmp-proto-unreachable } # 1. allow anything on localhost interface $IPTABLES -A INPUT -j "$ACCEPT" -i lo # 2. allow anything which is established or related $IPTABLES -A INPUT -j "$ACCEPT" -m state --state ESTABLISHED,RELATED # 3. allow dhcp replies from servers $IPTABLES -A INPUT -j "$ACCEPT" -p udp --sport 67 -d 255.255.255.255/32 --dport 68 # 4. allow echo requests $IPTABLES -A INPUT -j "$ACCEPT" -p icmp --icmp-type echo-request # Drop all mySQL packets to external Interface. $IPTABLES -A INPUT -j "$DROP" -p tcp -i eth0 --dport 3306 # Enter your other lines here ... # Have fun! # End Philippe
participants (3)
-
Claus Lund -
Markus -
Philippe Vogel