Firewall Ports for MariaDB Galera

Question

I am trying to secure my MariaDB Galera servers. They are setup and configured to use SSL.

wsrep_on                 = ON
wsrep_provider           = /usr/lib/galera/libgalera_smm.so
wsrep_cluster_name       = "db-cluster"
wsrep_cluster_address    = gcomm://192.168.0.11,192.168.0.12,192.168.0.13
binlog_format            = row
default_storage_engine   = InnoDB
innodb_autoinc_lock_mode = 2
innodb_doublewrite       = 1
wsrep_sst_method         = rsync
wsrep_replicate_myisam   = ON

wsrep_node_address     = "192.168.0.11"
wsrep_node_name        = "db1"
wsrep_provider_options = "socket.ssl_cert=/etc/mysql/ssl/db.crt;socket.ssl_key=/etc/mysql/ssl/db.key;socket.ssl_ca=/etc/mysql/ssl/ca.crt"

# Allow server to accept connections on all interfaces.
bind-address = 0.0.0.0

# Optional settings
#wsrep_slave_threads = 1
#innodb_flush_log_at_trx_commit = 0

[sst]
ssl-ca = /etc/mysql/ssl/ca.crt
ssl-cert = /etc/mysql/ssl/db.crt
ssl-key = /etc/mysql/ssl/db.key
encrypt=4

I've been testing some firewall rules - currently testing is only taking place on DB1 - DB2 and DB3 are still accepting all connections.

I have the following iptables rules configured:

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [629:249784]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# MariaDB Galera Traffic db1 -> db2
-A INPUT -s 192.168.0.11 -d 192.168.0.12 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.12 -p tcp -m tcp --dport 4444 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.12 -p tcp -m tcp --dport 4567:4568 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.12 -p udp -m udp --dport 4567 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.12 -p tcp -m tcp --dport 9999 -j ACCEPT

# MariaDB Galera Traffic db1 -> db3
-A INPUT -s 192.168.0.11 -d 192.168.0.13 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.13 -p tcp -m tcp --dport 4444 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.13 -p tcp -m tcp --dport 4567:4568 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.13 -p udp -m udp --dport 4567 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.13 -p tcp -m tcp --dport 9999 -j ACCEPT

# Load Balancer Traffic
-A INPUT -s 192.168.0.10 -d 192.168.0.11 -p tcp -m tcp --dport 3306 -j ACCEPT

#Accept Local Traffic
-A INPUT -d 192.168.0.11 -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT
COMMIT

When I put these in place, and attempt to start that node back up it fails with the following:

[Note] WSREP: Prepared SST request: rsync|192.168.0.11:4444/rsync_sst
[Note] WSREP: IST receiver addr using ssl://192.168.0.11:4568
[Note] WSREP: IST receiver using ssl
[Note] WSREP: Prepared IST receiver for 70-71, listening at: ssl://192.168.0.11:4568
[Note] WSREP: Member 0.0 (mosaic-db1) requested state transfer from '*any*'. Selected 1.0 (mosaic-db3)(SYNCED) as donor.
[Note] WSREP: Shifting PRIMARY -> JOINER (TO: 71)
[Note] WSREP: Requesting state transfer: success, donor: 1
[Note] WSREP: (81d43164-853c, 'ssl://0.0.0.0:4567') turning message relay requesting off
[Warning] WSREP: 1.0 (db3): State transfer to 0.0 (db1) failed: -110 (Connection timed out)
[ERROR] WSREP: /home/buildbot/buildbot/build/gcs/src/gcs_group.cpp:gcs_group_handle_join_msg():1170: Will never receive state. Need to abort.
[Note] WSREP: gcomm: terminating thread
[Note] WSREP: gcomm: joining thread
[Note] WSREP: gcomm: closing backend

Any suggestions what I'm missing?