2

I have two Centos VM. The IP Address on VM_1 is 10.99.0.10 and VM_2 is 10.99.0.12. Apache and PHP are in VM_1 and MySQL is in VM_2. Both are having IPTables rules. VM_2 is working fine with rules. Now I am Testing from VM_1.

First, I disabled VM_1 IPTables and connect to VM_2 MySQL (connected successfully).

[root@foster ~]# service IPTables  stop
IPTables : Applying firewall rules:                         [  OK  ]
[root@foster ~]# mysql -h 10.99.0.12 -u root -p
Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.6.21 MySQL Community Server (GPL)

Next, I enabled VM_1 IPTables and connect to VM_2 MySQL (It never respond in hours and hours also).

[root@foster ~]# service IPTables  start
IPTables : Applying firewall rules:                         [  OK  ]
[root@foster ~]# mysql -h 10.99.0.12 -u root -p
Enter password:

What is wrong with my IPTables rules? My rules are in Pastebin.

trejder
  • 17,148
  • 27
  • 124
  • 216

1 Answers1

1

The problem is in the method you enable MySQL traffic:

# Allow MySQL private Networking
sudo iptables -A INPUT -i eth1 -p tcp -s 10.99.0.12 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth1 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

These rules have two issues:

  1. They allow outgoing MySQL traffic from VM_1 only if the connection was first initiated from VM_2 (10.99.0.12).
  2. They specify the port 3306 as the client's (VM_1) port rather than as the server's (VM_2) port.

A more suitable rule set would be as follows:

# Allow MySQL private Networking
sudo iptables -A OUTPUT -o eth1 -p tcp --dport 3306 -m state --state NEW, ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i eth1 -p tcp -s 10.99.0.12 --sport 3306 -m state --state ESTABLISHED -j ACCEPT
Yoel
  • 9,144
  • 7
  • 42
  • 57
  • Awesome! I just replaced with your rule set and it works. Just curious "is this rule set safe/secure?". Thanks! –  Oct 23 '14 at 15:45
  • Well, I think so, though I'm no expert. As a rule of thumb, it's better to allow new traffic to be initiated at the local machine than elsewhere. Also, it's always wise to restrict the allowed IP address range. For example, I would add the destination IP to the first rule. Same goes for the server - if you can restrict the incoming requests to a set of known IP addresses, do so. For more information, just google and learn. [This wiki](https://wiki.archlinux.org/index.php/simple_stateful_firewall) can be a good starting point. – Yoel Oct 23 '14 at 16:07
  • You can also change the default ports, though they can still be detected through tools like `nmap`. – Yoel Oct 23 '14 at 16:13