Home / server / Questions / 191657
Accepted
Detritus Maximus
Asked: 2010-10-17 07:54:52 +0800 CST

IP tables modification to allow access to mysql on CENTOS 5 server

  • 772

CentOS 5.4, with IP tables stopped, I can do it. What's the line I need to add to IPtables so I can keep it on and have remote (domain) access to the mysql databases?

my current table:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.0.1.1/24 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.0.1.1/24 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.0.1.1/24 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.0.1.1/24 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.0.1.1/24 -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
centos mysql iptables

3 Answers

  1. Best Answer

    Just using "-A" adds the rule to the end of the chain, and as mark suggested, this will put the mysql ACCEPT after the blanket REJECT; no packet will ever get to it.

    You can either edit the /etc/sysconfig/iptables file to add the line

    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT

    immediately after the line

    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

    and then restart the iptables service, or you could manually do it with

    iptables -I RH-Firewall-1-INPUT 11 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT

    which will put it in the same place, but need to be done after each reboot.

    • 4

  2. Try this:

    iptables -A INPUT -p tcp --destination-port 3306 -j ACCEPT
    • 1

  3. Depending on how your firewall is set up currently, you will optionally need the outgoing one and you also may need to fiddle with the order of the rules so that these come before any blanket REJECT or DROP rules you might already have.

    # for incoming
iptables -A INPUT -i eth0 -p tcp --dport 3306 -j ACCEPT
# for outgoing
iptables -A OUTPUT -i eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
    • 0