Linux IP Tables how to allow My SQL Port and NFS , SSHD

I need to configure firewall on RHEL-5 server which must allow mysql, NFS  and SSHD ports
how to allow these clients to access RHEL-5 Server and no other ports are not allowed.
tittuAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steven VonaCommented:
Can you post what you currently have in your Iptables?

iptables -L -v
tittuAuthor Commented:
I have disabled the IP tables then only NFS clients are accessing.
If iptables were enabled then access was denied to nfs clients
Steven VonaCommented:
Well it seems nfs uses port 2049 tcp/udp by default.

Running the following commands will allow NFS on your system (Must be run as root).

iptables -I INPUT -p tcp --dport 2049 -j ACCEPT
iptables -I INPUT -p udp --dport 2049 -j ACCEPT
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

infotactixCommented:
NFS uses a number of ports in addition to 2049 TCP & UDP, including portmap (111 TCP & UDP)

check here for info on configuring iptables for NFS: http://www.lowth.com/LinWiz/nfs_help.html

SSH and MySQL are a bit more straightforward, using port 22 and 3306. It's a good idea to limit the source networks if you can (replace 0/0 with your network, i.e. 192.168.2.0/24). It's also good practice to control the responses as show below.

# SSH incoming client request and response
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -d 0/0 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

# MySQL incoming client request and response
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $IP_NIC0 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3306 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Open in new window


Finally, to drop everything else, just add the following:
iptables -A INPUT -s 0/0 -j DROP

Open in new window


Of course this is just the bare minimum. It's a good idea to have some rules preceding these to do a "sanity check" on incoming packets. This should include SYN flood checks, dropping malformed TCP packets (new-not-SYN, those with no TCP flags, or all flags, etc) and source IP spoofing checks among others.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
infotactixCommented:
If you're not ready to roll up your sleeves and create your iptables rules the old fashioned way, you could try using the built-in security configuration tool.

As root, run "system-config-securitylevel", choose SSH and NFS4 as trusted services, and add 3306:tcp under the "Other ports" section.

There's a good overview of this in the RHEL 5 docs available here.
tittuAuthor Commented:
I need to SELinux also with NFS and SSH
infotactixCommented:
I'm not sure, but I think that going the system-config-securitylevel route may take care of SELinux as well.
tittuAuthor Commented:
working
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.