[sf-lug] MySQL client firewall - iptables

Tom Haddon tom at greenleaftech.net
Sat Aug 30 14:01:53 PDT 2008 

Hi Folks,

I've setup a set of iptables rules for a server that needs to connect to
a remote MySQL server. Here's my (basic to start with) iptables rules
file:

----------------------------------------------------------

#!/bin/bash

# Flush all current rules from iptables
iptables -F

# Set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Set access for localhost
iptables -A INPUT -i lo -j ACCEPT

###########################
# Allow incoming services:
# - ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# - DNS
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# - http
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# - https
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# - cpanel
iptables -A INPUT -p tcp --dport 2083 -j ACCEPT
# - nagios-nrpe
iptables -A INPUT -p tcp --dport 5666 -j ACCEPT
# - MySQL
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
# End incoming services
###########################

# Accept packets belonging to established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Save settings
/sbin/service iptables save

# List rules
iptables -L -v

----------------------------------------------------------

For some reason, I'm not able to make an outgoing MySQL client
connection to the remote server. If I disable it with "service iptables
stop" then I can make the connection fine, but with this iptables setup,
things fail :(

I've tried adding:

iptables -A OUTPUT -p tcp -s <destination_ip_address> --sport 1024:65535
-d 0/0 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 3306 -d <destination_ip_address> --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

and re-running the script, but it still won't connect. I'm connecting as follows:

mysql -u <username> -p<password> -h <destination_ip_address> <mysql_db_name>

Any ideas what I'm missing?

Thanks, Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20080830/af689888/attachment.pgp>

More information about the sf-lug mailing list