albyh
asked on
IP Tables port blocking
I am trying to block all connections to the MySQL port 3306 on our server besides connections from one IP address. I managed to black all the traffic using the rule below through webmin on our server
Reject If protocol is TCP and destination port is 3306
I've also added the rule
Accept If protocol is TCP and source is 88.208.221.101 and destination port is 3306
However no matter which rule is first in the list it will not allow the specified server to connect.
Reject If protocol is TCP and destination port is 3306
I've also added the rule
Accept If protocol is TCP and source is 88.208.221.101 and destination port is 3306
However no matter which rule is first in the list it will not allow the specified server to connect.
ASKER
Yes i restarted the IP tables and it made no difference.
I've just tried setting up the rule
Reject If protocol is TCP and source is not 88.208.221.101 and destination port is 3306
but unfortunately that doesnt work either
I've just tried setting up the rule
Reject If protocol is TCP and source is not 88.208.221.101 and destination port is 3306
but unfortunately that doesnt work either
Could you post all your current rules?
Either from webmin interface (a copy/paste or screenshot) or better in terminal issue command:
/sbin/iptables -L -nvx
Either from webmin interface (a copy/paste or screenshot) or better in terminal issue command:
/sbin/iptables -L -nvx
ASKER
Chain INPUT (policy ACCEPT 121 packets, 11462 bytes)
pkts bytes target prot opt in out source destination
121 11462 PORTSEN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 88.208.221.101 0.0.0.0/0 tcp dpt:3306
0 0 REJECT tcp -- * * !88.208.221.101 0.0.0.0/0 tcp dpt:3306 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 153 packets, 138487 bytes)
pkts bytes target prot opt in out source destination
Chain PORTSEN (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 59.56.111.79 0.0.0.0/0
0 0 LOG all -- * * 59.56.111.79 0.0.0.0/0 LOG flags 0 level 4 prefix `portsentry attack alert'
0 0 DROP all -- * * 205.209.161.228 0.0.0.0/0
0 0 LOG all -- * * 205.209.161.228 0.0.0.0/0 LOG flags 0 level 4 prefix `portsentry attack alert'
pkts bytes target prot opt in out source destination
121 11462 PORTSEN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 88.208.221.101 0.0.0.0/0 tcp dpt:3306
0 0 REJECT tcp -- * * !88.208.221.101 0.0.0.0/0 tcp dpt:3306 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 153 packets, 138487 bytes)
pkts bytes target prot opt in out source destination
Chain PORTSEN (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 59.56.111.79 0.0.0.0/0
0 0 LOG all -- * * 59.56.111.79 0.0.0.0/0 LOG flags 0 level 4 prefix `portsentry attack alert'
0 0 DROP all -- * * 205.209.161.228 0.0.0.0/0
0 0 LOG all -- * * 205.209.161.228 0.0.0.0/0 LOG flags 0 level 4 prefix `portsentry attack alert'
By the look of the counters it seems that all the packets were accepted by the firewall
121 11462 PORTSEN all -- * * 0.0.0.0/0 0.0.0.0/0
121 packets (and 11462 bytes) were received by INPUT chain for processing.
Chain INPUT (policy ACCEPT 121 packets, 11462 bytes)
121 packets (11462 bytes) were ACCEPTED by the INPUT chain rules.
However if you did try to initiate a connection to port 3306 (after last change of rules) it is very strange that rules:
0 0 ACCEPT tcp -- * * 88.208.221.101 0.0.0.0/0 tcp dpt:3306
0 0 REJECT tcp -- * * !88.208.221.101 0.0.0.0/0 tcp dpt:3306 reject-with icmp-port-unreachable
have counts of 0 - no packet matched those rules.
Try to initiate a mySQL connection and see if these counters grow.
121 11462 PORTSEN all -- * * 0.0.0.0/0 0.0.0.0/0
121 packets (and 11462 bytes) were received by INPUT chain for processing.
Chain INPUT (policy ACCEPT 121 packets, 11462 bytes)
121 packets (11462 bytes) were ACCEPTED by the INPUT chain rules.
However if you did try to initiate a connection to port 3306 (after last change of rules) it is very strange that rules:
0 0 ACCEPT tcp -- * * 88.208.221.101 0.0.0.0/0 tcp dpt:3306
0 0 REJECT tcp -- * * !88.208.221.101 0.0.0.0/0 tcp dpt:3306 reject-with icmp-port-unreachable
have counts of 0 - no packet matched those rules.
Try to initiate a mySQL connection and see if these counters grow.
ASKER
Chain INPUT (policy ACCEPT 1022 packets, 97820 bytes)
pkts bytes target prot opt in out source destination
1025 98000 PORTSEN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 88.208.221.101 0.0.0.0/0 tcp dpt:3306
3 180 REJECT tcp -- * * !88.208.221.101 0.0.0.0/0 tcp dpt:3306 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1300 packets, 1391507 bytes)
pkts bytes target prot opt in out source destination
Chain PORTSEN (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 59.56.111.79 0.0.0.0/0
0 0 LOG all -- * * 59.56.111.79 0.0.0.0/0 LOG flags 0 level 4 prefix `portsentry attack alert'
0 0 DROP all -- * * 205.209.161.228 0.0.0.0/0
0 0 LOG all -- * * 205.209.161.228 0.0.0.0/0 LOG flags 0 level 4 prefix `portsentry attack alert'
pkts bytes target prot opt in out source destination
1025 98000 PORTSEN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 88.208.221.101 0.0.0.0/0 tcp dpt:3306
3 180 REJECT tcp -- * * !88.208.221.101 0.0.0.0/0 tcp dpt:3306 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1300 packets, 1391507 bytes)
pkts bytes target prot opt in out source destination
Chain PORTSEN (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 59.56.111.79 0.0.0.0/0
0 0 LOG all -- * * 59.56.111.79 0.0.0.0/0 LOG flags 0 level 4 prefix `portsentry attack alert'
0 0 DROP all -- * * 205.209.161.228 0.0.0.0/0
0 0 LOG all -- * * 205.209.161.228 0.0.0.0/0 LOG flags 0 level 4 prefix `portsentry attack alert'
OK. Now the counters are nonzero:
0 0 ACCEPT tcp -- * * 88.208.221.101 0.0.0.0/0 tcp dpt:3306
3 180 REJECT tcp -- * * !88.208.221.101 0.0.0.0/0 tcp dpt:3306 reject-with icmp-port-unreachable
3 packets were recived for port 3306 and were rejected since they did not come from IP 88.208.221.101.
Did you try from this IP (which should work) or did you test from some other IP? Is the IP written correctly?
0 0 ACCEPT tcp -- * * 88.208.221.101 0.0.0.0/0 tcp dpt:3306
3 180 REJECT tcp -- * * !88.208.221.101 0.0.0.0/0 tcp dpt:3306 reject-with icmp-port-unreachable
3 packets were recived for port 3306 and were rejected since they did not come from IP 88.208.221.101.
Did you try from this IP (which should work) or did you test from some other IP? Is the IP written correctly?
ASKER
They were requests from a script on that server (88.208.221.101), the IP is definately correct.
Perhaps there is some kind of NAT between the servers?
Try to LOG the packets to see what IP the request comes from:
Run chain LOG If protocol is TCP and destination port is 3306
Put this rule on top of other rules. Then (after trying the connection from 88.208.221.101) check log /var/log/messages for iptables entries. Post the relevant entries here - the entries are in the form:
Jul 1 6:14:13 servername kernel: IN=eth0 OUT= MAC= SRC=88.208.221.101 DST=88.208.221.154 LEN=233 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=50234 DPT=3306 LEN=213
Try to LOG the packets to see what IP the request comes from:
Run chain LOG If protocol is TCP and destination port is 3306
Put this rule on top of other rules. Then (after trying the connection from 88.208.221.101) check log /var/log/messages for iptables entries. Post the relevant entries here - the entries are in the form:
Jul 1 6:14:13 servername kernel: IN=eth0 OUT= MAC= SRC=88.208.221.101 DST=88.208.221.154 LEN=233 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=50234 DPT=3306 LEN=213
ASKER
I've checked the log /var/log/messages its logged the IP table changes but how do I get it to log the port request?
Did you configure mysql to accept connection from the remote host as well.
You can run strace on the mysql process to see if it sees a connection request.
If I am not mistaken, the 3 packets were rejected.
Try using the source as 88.208.221.101/32 in the accept rule.
You can run strace on the mysql process to see if it sees a connection request.
If I am not mistaken, the 3 packets were rejected.
Try using the source as 88.208.221.101/32 in the accept rule.
ASKER
Yeah if the rules are set to accept then the mysql requests comes through no problem.
I've just tried adding the /32 but unfortunately that hasnt worked either :-(
I've just tried adding the /32 but unfortunately that hasnt worked either :-(
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The problem was sorted by a server engineer.
Thanks for your help guys
Thanks for your help guys
Otherwise you could try with a single rule:
Reject If protocol is TCP and source is not 88.208.221.101 and destination port is 3306