1

Introduction

On my database server (CentOS 7) I want to allow access to port 3306 (MySQL) from specific web front-ends (10.10.40.6 and 10.10.40.7 in my example). On top of that I want to allow access to port 22 (SSH) from all hosts. I'm managing my configuration through editing the XML zone files in /etc/firewalld/zones/, so I can easily distribute them to different systems.

Configuration

This is my zone configuration:

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>DB Host</short>
  <description>Communication to SSH and MySQL.</description>
  <interface name="eth0"/>
  <rule family="ipv4">
    <port port="22" protocol="tcp"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.10.40.6,10.10.40.7"/>
    <port port="3306" protocol="tcp"/>
    <accept/>
  </rule>
</zone>

Problem

When I portscan the machine from one of my web front-ends I can see that port 3306 is open, but port 22 remains closed:

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-05 16:21 CEST
Nmap scan report for 10.10.40.5
Host is up (0.00026s latency).
PORT     STATE    SERVICE
22/tcp   filtered ssh
3306/tcp open     mysql

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

Question

What would be the proper configuration here?

Please mind that I want to restrict port 3306 to specific hosts, while keeping port 22 open for all hosts.

1 Answers1

0

you can use something like this:

firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT 
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 3306 -s 192.168.1.22 -j ACCEPT
c4f4t0r
  • 5,301
  • 3
  • 31
  • 42